Amazing video! This helped clear up a crucial part I was missing! For blocking enrollment, I dug in a little deeper and found that you can actually just create/bind an expression policy and set the priority to 0 (highest) So, in the default-source-enrollment Flow, click the "Policies / Groups / User Bindings" tab -> Click Create & bind Policy -> Select Expression Policy -> Name it whatever you want -> In expression, input: ak_message("Access Denied") return False The string "Access Denied" can be whatever you want. That's what will show when someone attempts to login/create an account. I use OAuth, so for me, I don't want anyone just willy nilly signing up and having accounts created! EDIT: Also, make sure other bound policies in that tab are disabled! Still learning the evaluation of "ANY" with policies, but it's a safe way to keep any other policies there around, but not active.
I have no thing to say except that you are a lifesaver and I am so glad someone shared your video on reddit. Cheers and thanks for making these videos for us. :)
Second video from you on authentik which I watched, both have really helped me set this up, I work with oauth2 but still struggle at home with authentik :/
Thank you so much for your work ! I would never be able to get my Authentik setup up and running without you, you truly helped me to get on board with it. Authentik will be the key component of my media server. I can't say how much this content is important to me. Your tutorial works perfectly. But I think there is a small flaw : When someone creates his account, it will create as an inactive user. Then if the person doesn't validate his account by email, the email token disappear but the inactive user stay in the database. So now this username / email combo is now completely blocked for the end user. If he tries to log in, it can't because the user is disabled. If he tries to re-create his account, he can't because it already exists. That would force him to use another email and username and I would like to avoid this frustration. I guess the easiest way would be to auto-delete inactive accounts 30mins after creation (to match the email token expiry). Do you know how I could achieve that ? Or maybe there is another way around. Anyway have a great day and thank you so much for your work !
The email token/inactive user is good to prevent random sign-ups if you had open enrollment, however, since you are sending invites you can modify the flow to create active users if you'd like; which doesn't require email verification. The user would just get an email to the invitation enrollment page, as soon as they finish entering their info user write as an active account. Or if still wanting to use email but token timing out is the issue, you can always increase that duration also.
@@cooptonian Thanks a lot for your answer. I am not using invites, I do have open enrollement. What I am planning to do later is that user by default will be in a group where they don't have access to any of my applications. I will set a notification when new users are created and I will manually approve them by placing them in the group with access. But I will try to do that later. For now with my enrollement, I will keep email verification necessary as I will need that email valid to notify my users from my services. Increasing the timing for the email token is an idea, but I don't want it to last for days and in the end it is still the same issue. If this user has missed the email or is not receiving it and want to try again, his username is permanently locked until I manually delete the account myself. I see 2 ways out of this : either the inactive accounts are automatically deleted after a short period, or when account are created they are marked as active but are put in a "email not yet validated" group, where they can login but login redirects them to the page where they need to validate their email. So they can't do anything until their email is validated. I think the 1st way is the simplest, but I guess both would work. I don't see how to do this though.
...in my mind, visually I can see creating an expression policy for your 2nd suggested solution. The 1st solution seems like it would fit in with 1 of the many tasks (if you look in the System Tasks menu under Dashboard) but those are hardcoded into authentik...I wish there was a create task button there. But I agree the 1st solution would be the best, logically.
@@cooptonian I see, thanks a lot for your answer, it really helps a lot. I'm a begginer with expression policies. If I understood correctly, what I should do is : 1. binding a policy to my user login stage that will login if in the "email validated" group or redirect to email validation flow if in "email not yet validated" group. I'm not sure if I should do a new flow for email validation only or if there is a way to redirect to the enrollment flow. What I am thinking of is a duplicate of my enrollment flow, which allow them to change their email if they made a mistake, but lock the username to avoid duplicate accounts. I think I can sort that out myself. 2. create users as active right away before email validation, but in "email not yet validated" group 3. Have the email validation move them to the right group instead of activating the account when completed. That is the part that I don't know how to do.
sounds like a good start...I was thinking more of the line of user enters their name, email, and password for enrollment (inactive), write that to authentik and end the flow there (this way there isn't a token time running down). At next login, the expression checks if the user logging in is active via expression policy...if so, continue with login, if not prompt for email stage to confirm email (maybe follow the email stage with a prompt stage warning the user that they have a certain amount of time to confirm). This, however, again doesn't solve the issue if the user decides to ignore the warning and the token still times out.
What a fantastic guide for people new to configuring this technology like myself. Do you have any plans in the future to make a video about enrollment with OAuth by chance?
Love the videos since one of your videos actually helped me get authentik somewhat working in the first place. Sadly neither the recovery email flow, nor the nrollment flow seem to be working. I am unsure if it's a config issue. You mentioned needing to reference the mail config from the .env in the docker compose, yet I haven't found any info about doing that. That might be my problem, but I can't find any info on it. Edit: Did it again today and for some reason it now works.
Thanks @Cooptonian for the step by step guide for Authentik novices. I had a question about enrollment flow. Is there a way to control self enrollment i.e. enable it but control it either by requiring admin consent before account becomes active or limiting it by email domain.
thanks, your videos are a great help. I don't think you should check the 'continue flow option' within the invitation stage otherwise the same link will never expire. I just tested it with the 2023-10 release
Amazing video! Thank you for the precious information! I'd be lost without you :) I have one question if you may: In my web app, a user is created and their password is set when they submit a form using the Authentik API. Everything seems to work, but the problem is I don't know how to send them a confirmation email since I'm not following any standard enrollment flows. Any ideas? Thank you in advance
Hey great vids! Unfortunatley I'm getting "Request has been denied" (Unknown error). " when using the invitation method. Link is valid and I've follwed every step in the video. Even multiple times.
...if you tried and followed every step exactly, maybe you have a caching issue. Test in either incognito mode, another browser, or from different device and/or network.
Thanks, this is helpful, but it would more helpful if you explained a bit about WHY you do all these things to set up the invitation flow. I don't currently understand what each of the individual components are for, or how they work in conjunction with one another. I'm struggling to find any material to help me understand these flows/stages/policies properly.
...yeah it was tough for me in the beginning as well with not much help. Its the reason I made these videos to maybe help others on the basic level... A quick summary from what I understand is the FLOW is the overall event you want to happen, the STAGES make up the flow (so these would be steps), and the policies modify the behavior of the stages to meet your particular needs (these are still tough for me as you need to write expressions with the correct syntax)
Definitely agree with this comment. These videos are great but as I’ve only started using Authentik yesterday the whole Flow/Stages thing is still pretty confusing. For example, in the previous video you created a new flow, then modified the login flow in a way that didn’t seem to reference the reset password flow, and yet it still showed up on the page. I’m still trying to wrap my head around how that happened 😅 Really do appreciate the videos though, and would be amazing if you just did a “Here’s an Intro to Authentik video where I explain what these things are and how these flows/stages interact and how modifying them makes things show up on the page” kind of thing.
...I guess you can drop the email stage, their accounts would then be created but not active until you manually go in and activate the account. Just set up a new notification rule to be notified by email...unless you just check routinely.
Question what about if you want to leverage external authentication engines as Discord/Google/Apple but you want the user to have to be validated/approved prior to entry. Email the admin to approve?
...I'm not well versed in Python, but you would probably just create a new Prompt of email type and change the place holder to be an expression that pulls/sets the email address to be that of the admin's...once the user clicks to continue, the email would then be sent to the admin. (HTML template could also be created and copied to Authentik host/container tailored to this request for approval vs using the built-in account confirmation template...anyways, may need to ask this question in the Discord for specifics...
Thank you for this video. I have followed your advice, but my enrolment flow gets "Request has been denied" (Unknown error). There is nothing in the Events > Logs. Nothing of note in docker logs. Authentik test mail can be sent from docker compose. Can't seem to put my finger on what is the issue. Using 2023.10 version.
Thanks! For certain users to see only certain apps you would have to go into each app and bind a policy, group, or user. For instance if you bind all apps to the Admin group, none of your users in the users group will see apps (because default with no policies, everyone can see all apps). Another example is you can put all the apps shared/common to all users under a group named 'common' then simply add users to that group to give them access...anyone not added will not have access. If you want to be even more granular, you can make each app its own group, then you'd have to add each user to each app group you want them to have access to. There are so many combinations you can do here.
Everything went smooth. Just one thing has me thinking. With the invitation link, I fill oout the form and submit it but it logs me in right away. In the video, the user is prompted to log in. My flow dows have a User Login Stage at the bottom with name default-source-enrollment-login
...you can have the write stage as your last stage. With it not having a next stage it will kick you back to the login page. Or if you want it more elegantly done, after your write stage create/add a prompt stage of type 'static' as your last stage letting the newly enrolled user know that the process is complete or finished (this will leave a 'continue' button to be clicked on). The enrolled person clicks continue and it will bring up the login page...
Your video is definitely a lifesaver. Thank you very much. One question: I have Google set up as an authentication provider but after following your steps the new google users are set to inactive. Is there a way to have the google authenticated users not set to inactive?
@@cooptonian That would work but would not require users to validate their email addresses. Is there a way to require new email login accounts to validate their emails but also allow google Oath users to be active? Do you do consulting work?
I'm sure there is a method using expression policies... I'm not proficient in that (yet) so may need to ask in the discord...and have not really thought of doing consulting work, however, someone else in the discord request I do a gig for them even if it is just what I do know to give them a leg up on whatever process they are working on... **now that I think of it...you can essentially leave them as inactive and add a email confirmation stage...this would send an email to the the user registering...clicking the link in the email would make the account active. So if they enter the wrong/false email, account would never be activated.
@@cooptonian I was able to find a solution to this. I noticed that the google authentication was still using the "default-source-enrollment" flow so I created a stage called "google-source-enrollment-write" with the same settings as the "default-source-enrollment-write" stage except for the "Create users as inactive" setting. I then used that one in the "default-source-enrollment" flow instead of "default-source-enrollment-write".
@@WendelToews Ha! OK that is essentially how I make any of my flows...leave the default (use them as a template) and create other flows based on them changing the name default to something more relevant (ie: invitation-, test-, enrollment-). That is how I setup the invitation flow in the gig I'm working currently...
I had this working but now after attempting to sign up I just get a spinning wheel and it never sends the email, verified I still have the correct settings in my .env
...check for errors in your event logs as well as docker logs to narrow your issue... Also check that all related authentik containers are up and running and haven't exited/stopped for whatever reason. If nothing has changed at all, doesn't hurt to just restart all the containers.
I have implemented Authentik with your videos and just realized that the sign up link still works even with the deny-enrollment stage binding created as described. Any ideas on how else I can get rid of the sign up option? If I turn off "evaluate on plan" on the deny-enrollment binding, then I get the expected error message. However, the enrollment via invitation link is also blocked, and the same error is shown.
...weird, it shouldn't work especially if it is at the top of the flow as it is the very first thing evaluated. Are you sure you are not pulling up a cached page? Maybe the latest version broke something? In any case, if you are done with enrollment from the main page, just remove the link. Edit your default authentication flow > Identification stage and remove the option for enrollment... You can probably also create a deny policy; for more info on that, it is best to ask in the discord for ideas...
@@cooptonian I tried removing the enrollment link and works, but if I paste the url then it loads the enrollment page. For some magical reason the expected error message now pops up again. There is no signup link now, the invitation works. Thanks
Another RU-vid user on here by the name of Rob Hedrick or better yet in the Authentik Discord server @Hooray4Rob has actually submitted a PR request that has been merged to Authentik's docs regarding Generic LDAP setup...have you seen it >> goauthentik.io/docs/providers/ldap/generic_setup ? It is pretty awesome as it is clear and concise with exact screenshots of the steps...
Not sure if this is possible with Authentik, but if it is possible, can you create a video on how to setup a flow that deactivates a user and forces them to change their password to get reactivated?
...yeah, I am not sure if this is possible or not either. But if it was, I imagine it would be through an expression policy. For example, if the last log in for a user currently logging in is more than 90 days (if the expression policy can check login logs), then force a password reset...but this would only trigger for that user currently logging in. What would be better would be some kind of cronjob that checks the length of time between logins then runs a script/authentik command to disable the user... Unfortunately, I didn't see any documentation for ALL Authentik command line commands available...
Amazing video, but I have a slightly different scenario to cover and need some help. My users just need to assign a password for themselves because their name, username and email are used to create their account beforehand. Now what I want is to send an email to each new user which tells them to set a password by following a link. Currently the accounts get created and the users have to set a password on their first login, but they don't get informed about the creation of their account. Any advice would be neat.
...you can add a custom prompt stage of type static at the very end of the flow to let them know the account has been created (this is a message prompt with a continue button). Once they click continue it just reloads the main login page (to add some actual logic to it, you can add an expression policy to check that the user exists). Or if you really want to send an email, add another email stage and use the reset password template.
