Working basic example of authentik auth integration with copy party

2025-10-02 14:42:28 -06:00 · 2025-09-28 15:36:33 +02:00 · 2025-09-28 15:36:33 +02:00 · 3f55c87906
parent 234eddec90
commit 3f55c87906
3 changed files with 54 additions and 7 deletions
--- a/docs/examples/docker/idp-authentik-traefik/README.md
+++ b/docs/examples/docker/idp-authentik-traefik/README.md
@ -1,8 +1,7 @@
 > [!WARNING]  
 > I am unable to guarantee the quality, safety, and security of anything in this folder; it is a combination of examples I found online. Please submit corrections or improvements 🙏

-> [!WARNING]  
-> does not work yet... if you are able to fix this, please do!
+This example should be enough to get things working. I have confirmed this basic config personally. User creation and management work, however once a user is passed through to copy party, manual editing of the config file will be needed to control new users. i.e. anyone you let through your SSO portal will be granted basic/default settings and permissions, unless manually configured otherwise. 

 this is based on:
 * https://goauthentik.io/docker-compose.yml
--- a/docs/examples/docker/idp-authentik-traefik/cpp/copyparty.conf
+++ b/docs/examples/docker/idp-authentik-traefik/cpp/copyparty.conf
@ -20,12 +20,17 @@
  e2ts   # enable multimedia indexing
  ansi   # enable colors in log messages

+  # if we are confident that we got the docker-network config correct
+  # (meaning copyparty is only accessible through traefik, and
+  #  traefik makes sure that all requests go through authelia),
+  # then accept X-Forwarded-For and IdP headers from any private IP:
+  xff-src: lan
+  
  # enable IdP support by expecting username/groupname in
  # http-headers provided by the reverse-proxy; header "X-IdP-User"
  # will contain the username, "X-IdP-Group" the groupname
-  idp-h-usr: x-idp-user
-  idp-h-grp: x-idp-group
-
+  idp-h-usr: X-authentik-username
+  idp-h-grp: X-authentik-groups

 [/]      # create a volume at "/" (the webroot), which will
  /w     # share /w (the docker data volume, which is mapped to /srv/pub on the host in docker-compose.yml)
--- a/docs/examples/docker/idp-authentik-traefik/docker-compose.yml
+++ b/docs/examples/docker/idp-authentik-traefik/docker-compose.yml
@ -21,7 +21,7 @@ services:
      - 'traefik.enable=true'
      - 'traefik.http.routers.fs.rule=Host(`fs.example.com`)'
      - 'traefik.http.routers.fs.entrypoints=http'
-      #- 'traefik.http.routers.fs.middlewares=authelia@docker'  # TODO: ???
+      - 'traefik.http.routers.fs.middlewares=ak-forwardauth@docker' # using authentik built-in docker outpost
    stop_grace_period: 15s  # thumbnailer is allowed to continue finishing up for 10s after the shutdown signal
    environment:
      LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE
@ -29,9 +29,11 @@ services:

      PYTHONUNBUFFERED: 1
      # ensures log-messages are not delayed (but can reduce speed a tiny bit)
+    networks:
+      - proxy

  traefik:
-    image: traefik:v2.11
+    image: traefik:latest
    container_name: traefik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock  # WARNING: this gives traefik full root-access to the host OS, but is recommended/required(?) by traefik
@ -44,6 +46,12 @@ services:
      - '--providers.docker=true'
      - '--providers.docker.exposedByDefault=false'
      - '--entrypoints.web.address=:80'
+    labels:
+      - "traefik.enable=true"
+      #To allow for custom headers to be forwarded
+      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
+    networks:
+      - proxy

  postgresql:
    image: docker.io/library/postgres:12-alpine
@ -63,6 +71,8 @@ services:
      POSTGRES_DB: authentik
    env_file:
      - .env
+    networks:
+      - authentik-backend

  redis:
    image: docker.io/library/redis:alpine
@ -77,6 +87,8 @@ services:
      timeout: 3s
    volumes:
      - redis:/data:z
+    networks:
+      - authentik-backend

  authentik_server:
    image: ghcr.io/goauthentik/server:2024.2.1
@ -100,6 +112,30 @@ services:
    depends_on:
      - postgresql
      - redis
+    labels:
+    # Https setup with Cloudflare as DNS provider for certresolver
+      - "traefik.enable=true"
+      - "traefik.http.routers.authentik.entrypoints=http"
+      - "traefik.http.routers.authentik.rule=Host(`auth.example.com`)"
+      - "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.authentik.middlewares=authentik-https-redirect"
+      - "traefik.http.routers.authentik-secure.entrypoints=https"
+
+      - "traefik.http.routers.authentik-secure.rule=Host(`auth.example.com`)"
+      - "traefik.http.routers.authentik-secure.tls=true"
+      - "traefik.http.routers.authentik-secure.tls.certresolver=cloudflare"
+      - "traefik.http.routers.authentik-secure.service=authentik"
+      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+      - "traefik.docker.network=proxy"
+
+      # ForwardAuth middleware → embedded outpost (internal URL!) will work for all services on the same docker network
+      - "traefik.http.middlewares.ak-forwardauth.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
+      - "traefik.http.middlewares.ak-forwardauth.forwardauth.trustForwardHeader=true"
+      # Choose which headers you want forwarded to the backend
+      - "traefik.http.middlewares.ak-forwardauth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid"
+    networks:
+      - proxy
+      - authentik-backend

  authentik_worker:
    image: ghcr.io/goauthentik/server:2024.2.1
@ -129,3 +165,10 @@ services:
    depends_on:
      - postgresql
      - redis
+    networks:
+      - proxy
+      - authentik-backend
+networks:
+  proxy:
+    external: true
+  authentik-backend: