Authentik - Application(s) Setup 

Glad you like them!

Thanks, I appreciate it. I pinged their technical writer to see if they maybe have plans to do the same or similar for their Flows and Stages... ...not sure if it is in development, however, if Authentik eventually creates a similar wizard to the flows and stages...that would also make it more streamlined/easier Example: Flow Creation Wizard > enter your info and type of flow you want > click next > asks you to choose a stage to setup for that flow > setup your stage > click next and it binds your stage to the flow created (policies can be customized later outside the wizard/or in the wizard (not sure which make more sense). Maybe the wizard is used to create a functional base first...then policies, if needed, later.

You're welcome!

Hi, yes, authentik's container port is 9000 and 9443...I mention in the video that it is my custom port... If you have conflicting port numbers, either authentik's ports will need to change or whatever application's ports has those same port numbers.

Thank you! I think Authentik and Cloudflare proxy _should_ be safe enough. It's nice that Cloudflare offers so many security features where you have bot fight and country blocking...etc. Also, Authentik has IP reputation to stop or at least slow down any brute force login attempts. You can incorporate fail2ban also if you'd like for added security. I do, and have it set up with Cloudflare API/Token where blocked IPs are automatically added as ban rules at the DNS level at Cloudflare...

Do you have any video about it ? Would be another mandatory thing for me to watch :)@@cooptonian

No I don't...maybe, maybe I'll make one about it tonight...

...actually, here you go, this is the video I followed by @DBTech along with his documentation on his site. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-Ha8NIAOsNvo.htmlsi=-QBh4rcsK15HZy2I

...I don't run Homepage, however, I just spun it up from its docker compose file, verified I can access it directly with IP:Port. Then I proceeded to add a proxy host to my reverse proxy manager (NPM) for homepage , as well as added a CNAME to my DNS records and verified I can access it with the the DNS URL address. Next, I created an application and used transparent proxy in authentik with external host address as the DNS URL address and internal address pointing to the IP:Port of Homepage and 'Internal host SSL Validation' disabled. Next, I added Homepage to my embedded Outpost list of applications. I went back to NPM and changed the proxy host from Homepage's IP:Port to my authentik's embedded Outpost. Homepage loads fine after authenticating...no 500 Internal Error. Next, I tested it with forward auth (single application) by going to the recently created Homepage provider in authentik and editing it. I changed from transparent proxy to forward auth (single application), clicked update. Then, clicked on the provider itself and clicked on my reverse proxy tab (NPM) to copy the snippet of code. Went to NPM to edit the proxy host for Homepage by changing the IP address and port back to Homepage's then clickiing on the advanced tab and pasting the snippet of code I just copied. I adjusted the proxy_pass in the code to point to my embedded outpost and saved. Tested loading in a different browser/incognito and again Homepage loaded after authenticating with authentik... So I didn't have any 500 Internal Error issues...

...it's in their Beta/Dev branch but I was told their next stable release will have this goauthentik.io/docs/installation/beta

@@cooptonian Ahh, that makes sense

Yes, it is possible. I just tested it with an app that has basic auth (pop-up) -as well as an app that has no authentication at all but my reverse proxy provides its http basic auth and both work- [I used forward auth (single-application)]... Just remember to either put the username and password as attributes of the user OR a group that the user is a member of and also put those attributes in the http authentication section of your provider.

...try this video: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-S-CIGno0cdw.html

...are you in the discord? If not, I mentioned that the later versions of authentik changed the code for nginx reverse proxy manager where your app will go immediately offline if not setup prior to the update. The workaround that I have found is to copy the snippet of code from an older version of authentik OR if you already have an app up and running, copy that code from NPM and just adjust your proxy_pass as needed for whatever app you're trying to set up...

...a login if you sign up and do the cloud thing for all those extra features... I am self-hosting and just need the most basic monitoring, so I have basic auth through my reverse proxy and this is what I pass in authentik...

...did you choose client type confidential as well as choose a signing key certificate? Either one you you've created or one of the built-in self-signed ones?

@@cooptonian Yea, that was the first thing I thought of. Tried my wildcard cert that I normally use along with the authentic self signed cert. Gonna walk through it again this morning with some fresh eyes.

@@cooptonian Well came into work this morning, brought up a fresh machine and boom - it worked. I suppose tired eyes and browser cache / DNS cache maybe was my downfall last night. But it works now. Thanks for the video , keep them coming, you are probably the best source for decoding the vague authentik docs 😉

Thanks! And yeah, that has happened to me before, that is why in all my videos I mention opening up an incognito window/tab to avoid any cached/historied results...

...double checked you are doing this for the respective provider? Not sure if it will help, but also maybe try escaping the '/' with '\/'...IF not that, just try adding $ to the end of each of those lines, for example: ^/identity/.*$