This video is very similar to my MFA bypass video...just this time, bypassing the password on the local network. If you haven't seen my MFA bypass video, I recommend you see that first here: • Authentik - Bypass MFA...
Maybe I missed this... But how do you prevent users from accessing accounts that do not belong to them? Is there a policy that you created that maps specific local IP to specific user? I checked the second linked video and it shows only a client-network-bypass which just checks if there is a private IP.
The short answer is, to protect accounts, don't use any bypass. Have each user authenticate. The longer answer is to modify the expression policy to set local network IP address for each user; assuming they have a static IP address and don't use other devices...or if they do, have an expression that allows a block of IP addresses that belongs only to that user. You would have to create a policy like this for each user you want to do this for.
@@cooptonian Thank you for the validation! BTW... Great videos... I've watched them all several times... I have been practicing building several authentik instances. I'm attempting to create a multi-tenant (3 domains). I am still working on understanding the flows and stages...
Quite an interesting video. Oh dear, it's all very cumbersome in Authentik, albeit very flexible / customizable. When I imagine that I have to make these settings again every time I reinstall, I dread it. An integrated backup/export function would be very useful.
@@cooptonian Have you ever tried to get Nextcloud (AIO) and the NPM to work together? I've read about several problems in the Authentik documentation and can't find very much support online. Perhaps this would be an interesting new video project in connection with authentik. Especially the Nextcloud AIO version, as it comes with its own NGINX Proxy Manager configuration.
Thank you so much for making this video. I assume theres no way to bypass everything (including the username) on LAN, correct? If not, this is still much faster than typing in the password (or using MFA locally as you explained previously). Thanks again!!
I can't say for sure, but I think the username is the bare minimum to determine who is signing in, what session, permissions, etc... are tied to that user for access... _IF_ there was a way, I'd imagine it to be done with a combination of expression/event policies that detect a static IP tied to a user when navigating to authentik and if those match to log into that specific user's account...however, I don't think the IP is detected until a login attempt is made.
Hey, i love your Authentik Videos! Really helped me to get into it. Mind to to create a Video about "bypassing" auth on proxy-providers with Token-Auth? For accessing Websites from Comand Line or Tools like Postman etc. If i understand the documentation correctly this should be possible with JWT or Bearer-Auth Tokens, but for now i'm unsure how to setup this correctly. Have a nice day!
Is there a way to make your "session" last longer? As in, after logging in to a service with authentik, it stays logged in for a week (instead of what seems like...a day)?