med-mastodon.com is one of the many independent Mastodon servers you can use to participate in the fediverse.
Medical community on Mastodon

Administered by:

Server stats:

363
active users

#authentik

0 posts0 participants0 posts today

Moved away from EMQX for my home lab as they moved to a new licensing scheme and dropped features on the community version to #RabbitMQ 4.1.1.

After a day of working on it, got #oauth2 into the cluster working, and #ldap backed #mqtt client logins.

Not as flashy as EMQX, but fitting my needs so far very well.

Really wanted unified account management and doing it all through #Authentik through oauth2 and it's LDAP outpost is very cool. No more local mqtt accounts 😊

So, I think I'm almost ready for some open beta of the registration on my project. Yay me? Summary is as follows: 1. I want to run a federated discussion forum using #Mbin 2. Because I will want to put another services as a part of the same project/domain, including but not limited to #mobilizon, and maybe even multi-user #writefreely, I need something to handle authentication and user access to all of them 3. Initially I wanted to go with #Zitadel, but I realised that it has baked in First and Last name required fields, and to be honest, I am absolutely not interested in this data, and even explicitly don't want to have to keep and process it; so I don't really want to make my users have to fill this out 4. I stumbled upon #authentik, and while I appreciate possibility of setting up complex auth flows and such without the need to touch raw code, it seemed a little bit daunting. 5. I found a set of really awesome tutorials by Cooptonian on YouTube, and I managed to solve not only setup, connecting the client apps, emails and password recovery, but also I got a way better grip on the inner workings of Authentik, and feel confident that if I need to do some minor tweaks to it, I will be able to. 6. I hope I will deploy the pemultimate flow today, that is the signup/invitation flow, and I will be ready to invite selected amount of people for some tests of the project, so hang on tight!

If you got that far, thank you for reading, I will write more on that (and unveil a related thing!) in the upcoming days, so come back! You can also give this blog a follow at https://readme.makary.online, on your RSS reader at https://readme.makary.online/feed, or on your favourite Mastodon/Fediverse account at @makary@readme.makary.online Be warned tho, that it was created with more technical posts in mind!

readme.makary.onlineMbin — readme.makary.onlineMbin posts on readme.makary.online

So I was messing with #drupal in the #homelab and I wanted to turn on #SSO with #authentik.

Somehow I didn’t find the official drupal OIDC module, I found this other one. I installed it, got it configured, and the first time I tried to login, it said “whoops, you have to purchase this module to use it.” Fine. I like supporting software, what does it cost?

$250/year!? To LOG IN? F that.

One of its key selling points is how easy it is to configure. If I was configuring it often, maybe I could see that. But OIDC and SAML are the kinds of things you set up once per lifetime. Make it as hard as you want (many apps do!) I only have to get through it once.

I mean $10? Even as much as maybe $50 I might have paid once. But I refuse to pay annually for the ability to login.
#selfhosted

Okay, authentik is up! Took a while, I was fighting against flux and the helm release because it deployed with the wrong StorageClass (I forgot to have that configuration ready before release.) Helm wasn't able to modify the PVC because they're immutable, updating the release has to wait for the initial release to succeed (which it won't) or timeout and flux is quiet on the reasons for all of this unless you know where to look 😔 lots of learning was had though!

Anyway, admin and personal user accounts created, MFA enabled. Got my first application integrated too! (actual budget)

What next? The world is my oyster... Probably gitea or semaphore. I'm hesitant to integrate services like jellyfin before I have more users onboarded and this gives me an opportunity to experiment with other edge cases like other providers and service accounts and such

I have now installed and tested Authentik for CoreUnit.NET. So far I am satisfied. Keycloak, dex and other IDP's made me dissatisfied in some steps. As a developer I just dont like the container image taging, please use semver so I can pin major/minor versions.

Running #Authentik with `latest` tag was convenient for #homelab, but they're moving away from making it possible (edit: from having :latest tag available, nothing else changes). What are the alternatives? Is there maybe something like "#dependabot but for #kubernetes images"? (I'm currently running on #podman on nixos, but I'm considering finally playing with #k8s, and regardless, this should be able to make it so I have proper image on nixos as well, I think)

Has anyone managed to implement a password expiration policy in an #authentik flow?

There's little to no documentation available and I can't figure it out for the life of me 🙈

I'm looking at setting up a bunch of self hosted services to replace our (self, family, friends) dependence on corporate cloud stuff. Email (custom, since none of the Just Add Server offerings do everything I need for free), shared drive (likely nextcloud, ugh), docs (likely collabora), jitsi for video, discourse for group forums, and so on.

I'd like to make all of this SSO, to the extent that it reasonably can be.

I'm probably going to use FreeIPA as the identity source of truth, but I'm finding that there are enough new things I need to learn about centralized authentication that I'm having a hard time finding a starting point that doesn't require a bunch of other context. So I'm asking for help.

Does anyone know of a good guide to these sorts of concepts, preferably available online? I'm familiar with most of the other Linux sysadmin concepts and have plenty of hardware and bandwidth at my disposal.

If you don't have an answer but have followers who might, boosts would be appreciated.

For about 30 years I have #selfhosted my #email. Just family and friends on there. About 7-8 people. About 6 months ago I converted the #homelab to using #authentik for single sign on. For the first time in those 30 years, my users can change their own passwords and recover them if they lose them. 🤷‍♂️

Interestingly, the “I forgot my password” workflow is not built and turned on by default in authentik. It’s easy to add and the steps are clear, but you have to turn that on.

À La Contre-Voie, ces deux dernières années, nous avons testé plus d’une dizaine d’outils d’authentification centralisée (#SSO)… On vous livre les conclusions de nos recherches !
lacontrevoie.fr/blog/2024/comp

La semaine prochaine, nous vous présenterons notre troisième et dernier article sur la partie technique de notre association, avec un coup de projecteur sur nos « fermes à services » :)

La Contre-Voie · Comparatif de onze solutions de SSO libresTechnique, partie 2 : En quête du SSO parfait

Ihr wollt #Mastodon auch mit (zusätzlichem) #SSO betreiben? Eure bisherigen Nutzer sollen dabei erhalten bleiben?

Ich hab da was zusammen gesucht aus der Dokumentation und verschiedenen Issues auf Github. Hier eine funktionierende Konfiguration. Ich verwende sie selbst in Verbindung mit #authentik

crypt.storagemte.eu/code/#/2/c

Bitte beachtet, das ihr bei Mastodon dieselbe E-Mailadresse wie in eurem Identitätsprovider haben müsst!

crypt.storagemte.euEncrypted CodeCryptPad: end-to-end encrypted collaboration suite

I guess I'll continue tomorrow, but this seems to be getting somewhere: generating a client to talk to #Authentik #API docs.goauthentik.io/developer- using #idem #idemproject straight from the #OpenAPI specification. At least in theory this should let me dump current configuration/state into a YAML file in one direction, and in another use that to manage #Authentik like I would do using say #TerraForm.

docs.goauthentik.ioAPI | authentikStarting with 2021.3.5, every authentik instance has a built-in API browser, which can be accessed at https://authentik.company/api/v3/.