Alle PMA services kunnen Single Sign-On (SSO) gebruiken via Authentik als centrale Identity Provider (IdP). Dit document beschrijft de architectuur en configuratie.
Authentik biedt:
Verschillende services ondersteunen verschillende SSO implementaties:
| SSO Type | Services | Protocol | Redirect Path |
|---|---|---|---|
grafana |
Grafana | OAuth2 | /login/generic_oauth |
flask-appbuilder |
Superset, Airflow | OAuth2 | /oauth-authorized/authentik |
php-oidc |
EspoCRM | OIDC | /oauth-callback.php |
wikijs |
Wiki.js | OAuth2 | /login/oauth2/callback |
mattermost |
Mattermost | OAuth2 | /signup/gitlab/complete |
rails |
Redmine, OpenProject | OAuth2 | /oauth2callback |
proxy |
Apps zonder SSO | Proxy Auth | N/A |
| URL Type | Context | Voorbeeld |
|---|---|---|
authorize_url |
Browser (PUBLIC) | http://192.168.1.100:9101/application/o/authorize/ |
token_url |
Server (INTERNAL) | http://asd-authentik:9000/application/o/token/ |
userinfo_url |
Server (INTERNAL) | http://asd-authentik:9000/application/o/userinfo/ |
redirect_uri |
Browser (PUBLIC) | http://192.168.1.100:3000/login/generic_oauth |
Regel: Browser URLs = Public IP/hostname, Server-to-server = Docker hostname
# Automatische SSO configuratie
just sso-add grafana
# Preview zonder wijzigingen
just sso-add grafana --dry-run
# Preflight checks
just sso-preflight grafana
# Controleer SSO configuratie
just sso-check grafana
# Test OAuth flow
just sso-test grafana
# Lijst alle SSO-enabled services
just sso-list
# Verwijder SSO configuratie
just sso-remove grafana
# Opslaan voor uninstall
just sso save grafana
# Herstellen na install
just sso restore grafana
# Check of SSO geconfigureerd is
just sso has grafana
# grafana.ini
[auth.generic_oauth]
enabled = true
name = Authentik
client_id = grafana-client-id
client_secret = grafana-client-secret
scopes = openid email profile
auth_url = http://192.168.1.100:9101/application/o/authorize/
token_url = http://asd-authentik:9000/application/o/token/
api_url = http://asd-authentik:9000/application/o/userinfo/
role_attribute_path = contains(groups[*], 'Admins') && 'Admin' || 'Viewer'
# .env
GF_AUTH_GENERIC_OAUTH_ENABLED=true
GF_AUTH_GENERIC_OAUTH_CLIENT_ID=xxx
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=xxx
| Probleem | Oorzaak | Oplossing |
|---|---|---|
| Redirect loop | Verkeerde URL type | Check public vs internal URLs |
| Token error | Network issue | Verify Docker network connectivity |
| User not found | Missing scopes | Add email profile scopes |
| Permission denied | Role mapping | Check group membership |
# Check Authentik logs
just logs authentik
# Test connectivity
docker exec asd-grafana curl -v http://asd-authentik:9000/
# Verify token endpoint
curl -X POST http://localhost:9101/application/o/token/ \
-d "client_id=xxx&client_secret=xxx&grant_type=client_credentials"