b324ff09ef
Some checks failed
CI/CD Pipeline / Code Quality & Linting (push) Has been cancelled
CI/CD Pipeline / Policy Validation (push) Has been cancelled
CI/CD Pipeline / Test Suite (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-firm-connectors) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-forms) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-hmrc) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ingestion) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-normalize-map) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ocr) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-indexer) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-reason) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rpa) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (ui-review) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (ui-review) (push) Has been cancelled
CI/CD Pipeline / Generate SBOM (push) Has been cancelled
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
CI/CD Pipeline / Notifications (push) Has been cancelled
7.6 KiB
7.6 KiB
Authentik SSO Configuration for AI Tax Agent
This directory contains the configuration for Authentik SSO integration with the AI Tax Agent system.
Overview
Authentik provides:
- Single Sign-On (SSO) for all services
- ForwardAuth middleware for Traefik
- OIDC/OAuth2 providers for applications
- Role-based access control (RBAC)
- User and group management
Architecture
┌─────────────────┐ ┌──────────────┐ ┌─────────────────┐
│ User Browser │───▶│ Traefik │───▶│ Application │
└─────────────────┘ └──────────────┘ └─────────────────┘
│
▼
┌──────────────┐
│ Authentik │
│ ForwardAuth │
└──────────────┘
Services
Core Authentik Services
- authentik-db: PostgreSQL database for Authentik
- authentik-redis: Redis cache for sessions
- authentik-server: Main Authentik server
- authentik-worker: Background task worker
- authentik-outpost: ForwardAuth proxy
Integration Points
- Traefik: Uses ForwardAuth middleware
- Grafana: OIDC authentication
- API Services: JWT token validation
- Review Portal: NextAuth.js integration
User Groups & Roles
| Group | Description | Permissions |
|---|---|---|
| Administrators | System administrators | Full access to all services |
| Tax Reviewers | Review extracted data | Access to review portal, read-only API |
| Accountants | Firm accountants | Access to client data, forms |
| Clients | End clients | Limited access to own data |
Applications
1. AI Tax Agent API
- Client ID:
ai-tax-agent-api - Type: OIDC/OAuth2
- Scopes:
openid,profile,email,roles - Redirect URI:
https://api.local.lan/auth/callback
2. Grafana
- Client ID:
grafana - Type: OIDC/OAuth2
- Scopes:
openid,profile,email - Redirect URI:
https://grafana.local.lan/login/generic_oauth
3. UI Review (ForwardAuth)
- Provider Type: Proxy Provider (ForwardAuth)
- External Host:
https://review.local.lan - Internal Host:
http://ui-review:3030 - Mode:
forward_single - Authentication: Via Traefik ForwardAuth middleware
Setup Instructions
1. Generate Secrets
make generate-secrets
2. Deploy Infrastructure
make deploy-infra
3. Initial Authentik Setup
- Open https://auth.local.lan in your browser
- Complete the initial setup wizard
- Create admin user with email
admin@local.lan - Set a secure password
4. Configure Applications
# Set API token from Authentik admin interface
export AUTHENTIK_API_TOKEN="your-api-token-here"
make setup-authentik
5. Verify Setup
- Access Authentik admin: https://auth.local.lan
- Test API authentication: https://api.local.lan/docs
- Check Grafana SSO: https://grafana.local.lan
Configuration Files
bootstrap.yaml
Initial configuration for:
- User groups
- OIDC providers
- Applications
- Policies
exported-config.yaml
UI Review Integration Blueprint - Automated configuration for UI Review ForwardAuth integration:
- Proxy Provider configuration
- Application setup
- Outpost provider assignment
To apply this configuration:
# Apply UI Review integration
docker-compose -f docker-compose.local.yml exec authentik-server ak apply_blueprint /blueprints/exported-config.yaml
custom-templates/
Custom login/logout templates (optional)
media/
Uploaded media files (logos, etc.)
Environment Variables
| Variable | Description | Default |
|---|---|---|
AUTHENTIK_SECRET_KEY |
Encryption key | changeme |
AUTHENTIK_OUTPOST_TOKEN |
Outpost authentication | changeme |
AUTHENTIK_DB_PASSWORD |
Database password | authentik |
DOMAIN |
Base domain | local |
Security Considerations
Production Deployment
- Change all default passwords
- Use strong secret keys (50+ characters)
- Enable HTTPS with valid certificates
- Configure proper CORS origins
- Set up backup for Authentik database
- Enable audit logging
Network Security
- Authentik services run on backend network only
- Only Traefik has access to frontend network
- Database and Redis are internal only
Token Security
- JWT tokens include user roles and tenant ID
- Tokens are validated by each service
- Short token expiry (1 hour) with refresh
Troubleshooting
Common Issues
-
Authentik not accessible
# Check service status docker-compose logs authentik-server # Verify network connectivity docker network ls | grep ai-tax-agent -
ForwardAuth not working
# Check outpost logs docker-compose logs authentik-outpost # Verify Traefik configuration docker-compose logs traefik -
OIDC authentication failing
# Check provider configuration curl -s https://auth.local.lan/.well-known/openid_configuration # Verify redirect URIs # Check client secrets
Debug Mode
Enable debug logging:
# In docker-compose.local.lan.yml
AUTHENTIK_LOG_LEVEL: debug
API Integration
Getting User Information
Services receive user information via headers:
ForwardAuth Headers (UI Review):
x-authentik-username: Usernamex-authentik-email: Email addressx-authentik-groups: Comma-separated groupsx-authentik-name: Full namex-authentik-uid: User ID
Legacy Headers (Other Services):
X-Authenticated-User: UsernameX-Authenticated-Email: Email addressX-Authenticated-Groups: Comma-separated groupsAuthorization: JWT Bearer token
Example FastAPI Integration
from libs.security import AuthenticationHeaders
@app.get("/protected")
async def protected_endpoint(request: Request):
auth = AuthenticationHeaders(request)
if not auth.has_role("Tax Reviewers"):
raise HTTPException(403, "Insufficient permissions")
return {"user": auth.authenticated_user}
Monitoring
Health Checks
- Authentik server:
https://auth.local.lan/-/health/ready/ - Outpost:
http://authentik-outpost:9000/outpost.goauthentik.io/ping
Metrics
- Prometheus metrics:
https://auth.local.lan/metrics - Grafana dashboard: "Authentik Overview"
Backup & Recovery
Database Backup
# Backup Authentik database
docker exec authentik-db pg_dump -U authentik authentik > authentik_backup.sql
# Restore
docker exec -i authentik-db psql -U authentik authentik < authentik_backup.sql
Configuration Backup
- Export flows and providers from admin interface
- Backup
bootstrap.yamland custom templates - Store secrets securely (Vault, etc.)
Support
For issues with Authentik configuration:
- Check the official documentation
- Review logs in
docker-compose logs authentik-server - Verify network connectivity and DNS resolution
- Check Traefik middleware configuration