Need advice on integrating Authentik and Rails app with rodauth-rails and jwt

[francescor]

Hi,

We are struggling understanding how I can enable SSO with Authentik in my Ruby on Rails application.

My Ruby on Rails works perfectly with your gems (thanks!):

gem "rodauth-rails", "~> 1.12"
gem 'jwt'
gem 'rodauth-model'

I'm using now including my LDAP login app/misc/rodauth_ldap.rb.disabilitato to get the jwt with

module RodauthLdap
  def require_bcrypt?
    false
  end

  # I re-define the password_match? method so it uses LDAP
  def password_match?(password)
    user_exist_in_ldap?(account[:email], password)
  end

  def user_exist_in_ldap?(email, password)
  ...
  end

and it works perfectly.

Now we need to enable SSO with Authentik ... so to be able to remove the LDAP login: and it looks to me that this could be a way:

gem 'omniauth'
gem 'omniauth-rails_csrf_protection'
gem 'rodauth-omniauth'

Authentik supports both generic OAuth2 as well as OpenID Connect.

Are we taking a solution that makes sense?

[janko]

So, you need an OmniAuth strategy for Authentik. I couldn't find one on GitHub, so you might need to write one yourself. If it supports OAuth2, it would be based off of omniauth-oauth2; see other OAuth2-based strategies for inspiration.

So, you just need to integrate Authentik with OmniAuth, and it then should automatically work with rodauth-omniauth. BTW, you don't need the omniauth-rails_csrf_protection gem, rodauth-omniauth already handles CSRF protection for you (it calls Rodauth's CSRF protection, which rodauth-rails overrides to call Rails' CSRF protection).

[francescor]

thank you @janko !

[francescor]

It works! and this gem does ...everything ! :)

I had to customize the migration

class CreateAccountIdentities < ActiveRecord::Migration[5.2]
  def change
    create_table :account_identities do |t|
      # t.references :account, null: false, foreign_key: { on_delete: :cascade }
      t.bigint :account_id, null: false
      t.datetime :created_at, null: false
      t.datetime :updated_at, null: false
      t.string :provider, null: false
      t.string :uid, null: false
      t.index [:provider, :uid], unique: true
      t.index ["account_id"], name: "index_account_identities_on_account_id"
    end
  end  
end

since in my app/misc/rodauth_main.rb I have

accounts_table :users

Then in app/misc/rodauth_main.rb:

  configure do
    enable :login, :logout, :remember, :jwt, :jwt_refresh, :internal_request, :omniauth
    omniauth_provider :authentik, ENV['authentik_client_id'], ENV['authentik_client_secret'],
      client_options: {
        site: 'https://my.authentik.website.it',
        authorize_url: 'https://my.authentik.website.it/application/o/authorize/',
        token_url: 'https://my.authentik.website.it/application/o/token/'
      },
      authorize_params: { redirect_uri: "https://my.rails.website.it/auth/authentik/callback" },
      token_params: { redirect_uri: "https://my.rails.website.it/auth/authentik/callback" }

    omniauth_identity_insert_hash { super().merge(created_at: Time.now) }
    omniauth_identity_update_hash { { updated_at: Time.now } }

in config/initializers/authentik.rb:

# loading lib/omniauth/strategies/authentik.rb
require 'omniauth/strategies/authentik'

in lib/omniauth/strategies/authentik.rb

require 'omniauth-oauth2'
# https://github.com/omniauth/omniauth-oauth2
module OmniAuth
  module Strategies
    class Authentik < OmniAuth::Strategies::OAuth2
      option :name, "authentik"
      option :client_options, {}

      uid { raw_info['sub'] }

      info do
        {
          email: raw_info['email'],
          name: raw_info['name']
        }
      end

      extra do
        { raw_info: raw_info }
      end

      def raw_info
        @raw_info ||= access_token.get('/application/o/userinfo/').parsed
      end
    end
  end
end

[francescor]

uh, I've read just now the possibility to customise the identity table, so, since I had

accounts_table :users

I've added

      omniauth_identities_table :user_identities
      omniauth_identities_account_id_column :user_id
      omniauth_identities_uid_column :email

and my migration is:

class CreateUserIdentities < ActiveRecord::Migration[5.2]
  def change
    create_table :user_identities do |t|
      t.references :user, null: false, foreign_key: { on_delete: :cascade }
      t.string :provider, null: false
      t.string :email, null: false
      t.timestamps
      t.index %i[provider email], unique: true
    end
  end
end

@janko I see I need to add that t.timestamps in my Rails 5.2, maybe it's added automatically in latest Rails version, but if not I guess it's missing in the README

[janko]

The timestamp columns always needed to be created explicitly AFAIK, though the migration generator adds the t.timestamps call automatically.

I have a separate section for them in the README, because they're optional for rodauth-omniauth.