website: migrate to mermaid charts, rework proxy page

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-02-15 12:14:17 +01:00
parent ade397fc24
commit 7d6b573f8b
No known key found for this signature in database
6 changed files with 1003 additions and 45 deletions

View file

@ -4,11 +4,30 @@ title: Terminology
slug: /terminology
---
![](/img/authentik_objects.svg)
```mermaid
graph LR
source_ldap((LDAP Source)) <-->|Synchronizes| datasource_ldap["FreeIPA/
Active Directory"]
datasource_oauth1(Twtitter) --> source_oauth((OAuth/SAML\nSource))
datasource_oauth2(GitHub) --> source_oauth((OAuth/SAML\nSource))
source_oauth --> authentik_db(authentik Database)
source_ldap --> authentik_db(authentik Database)
### System tasks
app_sso(Gitlab) --> authentik_provider[Provider]
authentik_provider --> authentik_db
authentik_provider --> authentik_app["Application
(Stores permissions and UI details)"]
authentik_app --> authentik_policy_engine[Policy Engine]
authentik_policy_engine --> authentik_db
These are longer-running tasks which authentik runs in the background. This is used to sync LDAP sources, backup the database, and other various tasks.
app_ldap("Applications that only
support LDAP (e.g. pfSense)") --> authentik_outpost_ldap[LDAP Outpost]
app_proxy("Applications that don't
support any SSO (e.g. Plex)") --> authentik_outpost_proxy[Proxy Outpost]
authentik_outpost_ldap --> authentik_outposts[Outposts]
authentik_outpost_proxy --> authentik_outposts[Outposts]
authentik_outposts --> authentik_provider
```
### Application
@ -26,7 +45,7 @@ A Provider is a way for other applications to authenticate against authentik. Co
At a base level a policy is a yes/no gate. It will either evaluate to True or False depending on the Policy Kind and settings. For example, a "Group Membership Policy" evaluates to True if the user is member of the specified Group and False if not. This can be used to conditionally apply Stages, grant/deny access to various objects, and for other custom logic.
See [Policies](./policies/)
See [Policies](../policies/index.md)
### Flows & Stages
@ -34,16 +53,20 @@ Flows are an ordered sequence of stages. These flows can be used to define how a
A stage represents a single verification or logic step. They are used to authenticate users, enroll users, and more. These stages can optionally be applied to a flow via policies.
See [Flows](./flow/)
See [Flows](../flow/index.md)
### Property Mappings
Property Mappings allow you to make information available for external applications. For example, if you want to login to AWS with authentik, you'd use Property Mappings to set the user's roles in AWS based on their group memberships in authentik.
See [Property Mappings](./property-mappings/)
See [Property Mappings](../property-mappings/index.md)
### Outpost
An outpost is a separate component of authentik, which can be deployed anywhere, regardless of the authentik deployment. The outpost offers services that aren't implemented directly into the authentik core, e.g. Reverse Proxying.
See [Outposts](./outposts/)
See [Outposts](../outposts/index.mdx)
### System tasks
These are longer-running tasks which authentik runs in the background. This is used to sync LDAP sources, backup the database, and other various tasks.

View file

@ -1,28 +1,94 @@
---
title: Overview
title: Proxy Provider
---
```mermaid
sequenceDiagram
participant u as User accesses service
participant rp as Reverse proxy
participant ak as authentik
participant s as Service
u->>rp: Initial request
rp->>ak: Checks authentication
alt User is authenticated
ak ->> rp: Successful response
rp ->> s: Initial request is forwarded
else User needs to be authenticated
ak ->> rp: Redirect to the login page
rp ->> u: Redirect is passed to enduser
end
```
## Headers
The proxy outpost sets the following user-specific headers:
- X-authentik-username: `akadmin`
### `X-authentik-username`
The username of the currently logged in user
Example value: `akadmin`
- X-authentik-groups: `foo|bar|baz`
The username of the currently logged in user
The groups the user is member of, separated by a pipe
### `X-authentik-groups`
- X-authentik-email: `root@localhost`
Example value: `foo|bar|baz`
The email address of the currently logged in user
The groups the user is member of, separated by a pipe
- X-authentik-name: `authentik Default Admin`
### `X-authentik-email`
Full name of the current user
Example value: `root@localhost`
- X-authentik-uid: `900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb`
The email address of the currently logged in user
The hashed identifier of the currently logged in user.
### `X-authentik-name`
Example value: `authentik Default Admin`
Full name of the current user
### `X-authentik-uid`
Example value: `900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb`
The hashed identifier of the currently logged in user.
Besides these user-specific headers, some application specific headers are also set:
### `X-authentik-meta-outpost`
Example value: `authentik Embedded Outpost`
The authentik outpost's name.
### `X-authentik-meta-provider`
Example value: `test`
The authentik provider's name.
### `X-authentik-meta-app`
Example value: `test`
The authentik application's slug.
### `X-authentik-meta-version`
Example value: `goauthentik.io/outpost/1.2.3`
The authentik outpost's version.
### `X-Forwarded-Host`
:::info
Only set in proxy mode
:::
The original Host header sent by the client. This is set as the `Host` header is set to the host of the configured backend.
### Additional headers
Additionally, you can set `additionalHeaders` attribute on groups or users to set additional headers:
@ -31,30 +97,6 @@ additionalHeaders:
X-test-header: test-value
```
Besides these user-specific headers, some application specific headers are also set:
- X-authentik-meta-outpost: `authentik Embedded Outpost`
The authentik outpost's name.
- X-authentik-meta-provider: `test`
The authentik provider's name.
- X-authentik-meta-app: `test`
The authentik application's slug.
- X-authentik-meta-version: `goauthentik.io/outpost/1.2.3`
The authentik outpost's version.
### Only in proxy mode
- X-Forwarded-Host:
The original Host header sent by the client. This is set as the `Host` header is set to the host of the configured backend.
## HTTPS
The outpost listens on both 9000 for HTTP and 9443 for HTTPS.

View file

@ -169,6 +169,10 @@ module.exports = {
},
],
],
markdown: {
mermaid: true,
},
themes: ["@docusaurus/theme-mermaid"],
scripts: [
{
src: "https://goauthentik.io/js/script.js",

File diff suppressed because it is too large Load diff

View file

@ -18,6 +18,7 @@
"dependencies": {
"@docusaurus/plugin-client-redirects": "2.3.1",
"@docusaurus/preset-classic": "2.3.1",
"@docusaurus/theme-mermaid": "^2.3.1",
"@mdx-js/react": "^1.6.22",
"clsx": "^1.2.1",
"disqus-react": "^1.1.5",

File diff suppressed because one or more lines are too long

Before

Width:  |  Height:  |  Size: 24 KiB