Authentik - Enrollment | Invitation Flow Setup

Поділитися
Вставка
  • Опубліковано 25 лис 2024

КОМЕНТАРІ • 86

  • @joegi3553
    @joegi3553 Рік тому +2

    Amazing video! This helped clear up a crucial part I was missing! For blocking enrollment, I dug in a little deeper and found that you can actually just create/bind an expression policy and set the priority to 0 (highest)
    So, in the default-source-enrollment Flow, click the "Policies / Groups / User Bindings" tab -> Click Create & bind Policy -> Select Expression Policy -> Name it whatever you want -> In expression, input:
    ak_message("Access Denied")
    return False
    The string "Access Denied" can be whatever you want. That's what will show when someone attempts to login/create an account. I use OAuth, so for me, I don't want anyone just willy nilly signing up and having accounts created!
    EDIT: Also, make sure other bound policies in that tab are disabled! Still learning the evaluation of "ANY" with policies, but it's a safe way to keep any other policies there around, but not active.

    • @cooptonian
      @cooptonian  Рік тому +1

      Thanks! And yeah, figured something like that later...but great detailed info in your comment for anyone else to follow.

    • @rguifa
      @rguifa Рік тому

      How do you disable other bound policies? policies or stages?

    • @cooptonian
      @cooptonian  Рік тому

      ...just go to edit binding for whatever policy and flip the enabled switch

    • @rguifa
      @rguifa Рік тому

      @@cooptonian The version I have does not show an enable button.

  • @bcnom
    @bcnom 2 роки тому +3

    I have no thing to say except that you are a lifesaver and I am so glad someone shared your video on reddit. Cheers and thanks for making these videos for us. :)

  • @philsjeff
    @philsjeff 2 роки тому +2

    I do love you! I just want you to know that. Your videos are the best Authentik videos out there - For Sure! Keep 'em coming, please! Thanks a ton!

    • @cooptonian
      @cooptonian  2 роки тому +1

      Ha ha, thanks! I appreciate you appreciating them.

  • @origamitobiichi1671
    @origamitobiichi1671 Рік тому

    I am so exciting to find this amazing video over the endless sea of Internet! Thank you bro, you have save my day!

  • @Pariah902
    @Pariah902 2 роки тому +1

    Love your Authentik Videos, great stuff, Thanks a lot

  • @andrewkyllo3170
    @andrewkyllo3170 5 місяців тому

    What a fantastic guide for people new to configuring this technology like myself. Do you have any plans in the future to make a video about enrollment with OAuth by chance?

  • @shrinidhi
    @shrinidhi 9 місяців тому

    Awesome video, thank you so much! Subscribed!

  • @yulaizhou303
    @yulaizhou303 7 місяців тому

    bro, you are the true hero. may I ask whether you can make a video to explain how to add SMS? I was tortured by this for a week.

  • @SaladCesar2052
    @SaladCesar2052 Рік тому

    Thank you so much for your work ! I would never be able to get my Authentik setup up and running without you, you truly helped me to get on board with it. Authentik will be the key component of my media server. I can't say how much this content is important to me.
    Your tutorial works perfectly. But I think there is a small flaw : When someone creates his account, it will create as an inactive user. Then if the person doesn't validate his account by email, the email token disappear but the inactive user stay in the database. So now this username / email combo is now completely blocked for the end user. If he tries to log in, it can't because the user is disabled. If he tries to re-create his account, he can't because it already exists. That would force him to use another email and username and I would like to avoid this frustration.
    I guess the easiest way would be to auto-delete inactive accounts 30mins after creation (to match the email token expiry). Do you know how I could achieve that ? Or maybe there is another way around.
    Anyway have a great day and thank you so much for your work !

    • @cooptonian
      @cooptonian  Рік тому

      The email token/inactive user is good to prevent random sign-ups if you had open enrollment, however, since you are sending invites you can modify the flow to create active users if you'd like; which doesn't require email verification. The user would just get an email to the invitation enrollment page, as soon as they finish entering their info user write as an active account. Or if still wanting to use email but token timing out is the issue, you can always increase that duration also.

    • @SaladCesar2052
      @SaladCesar2052 Рік тому

      @@cooptonian Thanks a lot for your answer. I am not using invites, I do have open enrollement. What I am planning to do later is that user by default will be in a group where they don't have access to any of my applications. I will set a notification when new users are created and I will manually approve them by placing them in the group with access. But I will try to do that later.
      For now with my enrollement, I will keep email verification necessary as I will need that email valid to notify my users from my services. Increasing the timing for the email token is an idea, but I don't want it to last for days and in the end it is still the same issue. If this user has missed the email or is not receiving it and want to try again, his username is permanently locked until I manually delete the account myself. I see 2 ways out of this : either the inactive accounts are automatically deleted after a short period, or when account are created they are marked as active but are put in a "email not yet validated" group, where they can login but login redirects them to the page where they need to validate their email. So they can't do anything until their email is validated. I think the 1st way is the simplest, but I guess both would work. I don't see how to do this though.

    • @cooptonian
      @cooptonian  Рік тому

      ...in my mind, visually I can see creating an expression policy for your 2nd suggested solution. The 1st solution seems like it would fit in with 1 of the many tasks (if you look in the System Tasks menu under Dashboard) but those are hardcoded into authentik...I wish there was a create task button there. But I agree the 1st solution would be the best, logically.

    • @SaladCesar2052
      @SaladCesar2052 Рік тому

      @@cooptonian I see, thanks a lot for your answer, it really helps a lot. I'm a begginer with expression policies. If I understood correctly, what I should do is :
      1. binding a policy to my user login stage that will login if in the "email validated" group or redirect to email validation flow if in "email not yet validated" group. I'm not sure if I should do a new flow for email validation only or if there is a way to redirect to the enrollment flow. What I am thinking of is a duplicate of my enrollment flow, which allow them to change their email if they made a mistake, but lock the username to avoid duplicate accounts. I think I can sort that out myself.
      2. create users as active right away before email validation, but in "email not yet validated" group
      3. Have the email validation move them to the right group instead of activating the account when completed. That is the part that I don't know how to do.

    • @cooptonian
      @cooptonian  Рік тому

      sounds like a good start...I was thinking more of the line of user enters their name, email, and password for enrollment (inactive), write that to authentik and end the flow there (this way there isn't a token time running down). At next login, the expression checks if the user logging in is active via expression policy...if so, continue with login, if not prompt for email stage to confirm email (maybe follow the email stage with a prompt stage warning the user that they have a certain amount of time to confirm). This, however, again doesn't solve the issue if the user decides to ignore the warning and the token still times out.

  • @pedrofontes6482
    @pedrofontes6482 7 місяців тому

    Great video! but is there a way, in the write stage, to have the user join more than one group ?

  • @v-for-victory
    @v-for-victory Рік тому +1

    This is so great. Thanks a lot for your work here

  • @BoKKeR111
    @BoKKeR111 Рік тому +1

    Second video from you on authentik which I watched, both have really helped me set this up, I work with oauth2 but still struggle at home with authentik :/

    • @cooptonian
      @cooptonian  Рік тому

      Glad you have found them useful!

  • @luisliz
    @luisliz 8 місяців тому +1

    That joke at the beginning was underrated. Laughed when I understood.

  • @second2falcon153
    @second2falcon153 Рік тому +1

    Love the videos since one of your videos actually helped me get authentik somewhat working in the first place. Sadly neither the recovery email flow, nor the nrollment flow seem to be working. I am unsure if it's a config issue. You mentioned needing to reference the mail config from the .env in the docker compose, yet I haven't found any info about doing that. That might be my problem, but I can't find any info on it.
    Edit:
    Did it again today and for some reason it now works.

  • @julienquidam2247
    @julienquidam2247 16 днів тому

    Hi! How can I add Google login on the enrollment page? I have already Google login on my login page

  • @andrep3950
    @andrep3950 Рік тому

    thanks, your videos are a great help.
    I don't think you should check the 'continue flow option' within the invitation stage otherwise the same link will never expire. I just tested it with the 2023-10 release

    • @cooptonian
      @cooptonian  Рік тому

      Thanks, good to know...and I'll have to test that myself.

  • @RRR-vh8ni
    @RRR-vh8ni 10 місяців тому

    Thanks @Cooptonian for the step by step guide for Authentik novices. I had a question about enrollment flow. Is there a way to control self enrollment i.e. enable it but control it either by requiring admin consent before account becomes active or limiting it by email domain.

    • @cooptonian
      @cooptonian  10 місяців тому

      Yes, you should be able to do this with policies...

  • @Hikakin_Official
    @Hikakin_Official 2 місяці тому

    Thank you very much. This vide is so useful for who is new to authentic like me :)

    • @cooptonian
      @cooptonian  2 місяці тому

      Thanks and you're welcome!

  • @ChadE1020
    @ChadE1020 2 роки тому

    thank you sooo much for the help on this!

  • @edungdivinefavour6977
    @edungdivinefavour6977 5 місяців тому

    I am using the API to create the users myself however, I want to generate a link they can click on to verify their email. How can i do this?

  • @Fluxzone90
    @Fluxzone90 2 роки тому +1

    Is there a third option whereby I can have a user enrol with the first flow, but then I get the option to approve or deny the enrollment?

    • @cooptonian
      @cooptonian  2 роки тому +1

      ...I guess you can drop the email stage, their accounts would then be created but not active until you manually go in and activate the account. Just set up a new notification rule to be notified by email...unless you just check routinely.

  • @LeonRohr-xc4re
    @LeonRohr-xc4re 5 місяців тому +1

    Hey great vids! Unfortunatley I'm getting "Request has been denied" (Unknown error). " when using the invitation method. Link is valid and I've follwed every step in the video. Even multiple times.

    • @cooptonian
      @cooptonian  5 місяців тому

      ...if you tried and followed every step exactly, maybe you have a caching issue. Test in either incognito mode, another browser, or from different device and/or network.

  • @bballer11241
    @bballer11241 2 роки тому

    This is awesome. Thanks a lot for this man! Do you know a way to only allow certain users to see certain applications?

    • @cooptonian
      @cooptonian  2 роки тому +1

      Thanks! For certain users to see only certain apps you would have to go into each app and bind a policy, group, or user. For instance if you bind all apps to the Admin group, none of your users in the users group will see apps (because default with no policies, everyone can see all apps). Another example is you can put all the apps shared/common to all users under a group named 'common' then simply add users to that group to give them access...anyone not added will not have access. If you want to be even more granular, you can make each app its own group, then you'd have to add each user to each app group you want them to have access to. There are so many combinations you can do here.

    • @bballer11241
      @bballer11241 2 роки тому

      @@cooptonian Awesome. Thanks for these man, you've been saving me a lot of headache. Keep it up!

    • @cooptonian
      @cooptonian  2 роки тому

      ...well, no one likes headaches! LOL...you're welcome

  • @BahaKhemeyssi
    @BahaKhemeyssi 9 місяців тому

    Amazing video! Thank you for the precious information! I'd be lost without you :) I have one question if you may: In my web app, a user is created and their password is set when they submit a form using the Authentik API. Everything seems to work, but the problem is I don't know how to send them a confirmation email since I'm not following any standard enrollment flows. Any ideas? Thank you in advance

    • @cooptonian
      @cooptonian  9 місяців тому

      ...you can probably create an event policy for when a user is created, send an email

  • @SAS-Watcher
    @SAS-Watcher 2 роки тому +1

    Question what about if you want to leverage external authentication engines as Discord/Google/Apple but you want the user to have to be validated/approved prior to entry. Email the admin to approve?

    • @cooptonian
      @cooptonian  2 роки тому

      ...I'm not well versed in Python, but you would probably just create a new Prompt of email type and change the place holder to be an expression that pulls/sets the email address to be that of the admin's...once the user clicks to continue, the email would then be sent to the admin. (HTML template could also be created and copied to Authentik host/container tailored to this request for approval vs using the built-in account confirmation template...anyways, may need to ask this question in the Discord for specifics...

  • @DJFlyteUK
    @DJFlyteUK Рік тому +1

    Thanks, this is helpful, but it would more helpful if you explained a bit about WHY you do all these things to set up the invitation flow. I don't currently understand what each of the individual components are for, or how they work in conjunction with one another. I'm struggling to find any material to help me understand these flows/stages/policies properly.

    • @cooptonian
      @cooptonian  Рік тому

      ...yeah it was tough for me in the beginning as well with not much help. Its the reason I made these videos to maybe help others on the basic level... A quick summary from what I understand is the FLOW is the overall event you want to happen, the STAGES make up the flow (so these would be steps), and the policies modify the behavior of the stages to meet your particular needs (these are still tough for me as you need to write expressions with the correct syntax)

    • @kurban_s
      @kurban_s Рік тому

      Definitely agree with this comment. These videos are great but as I’ve only started using Authentik yesterday the whole Flow/Stages thing is still pretty confusing. For example, in the previous video you created a new flow, then modified the login flow in a way that didn’t seem to reference the reset password flow, and yet it still showed up on the page. I’m still trying to wrap my head around how that happened 😅 Really do appreciate the videos though, and would be amazing if you just did a “Here’s an Intro to Authentik video where I explain what these things are and how these flows/stages interact and how modifying them makes things show up on the page” kind of thing.

  • @ibra_ivan
    @ibra_ivan 10 місяців тому

    Thank you for this video. I have followed your advice, but my enrolment flow gets "Request has been denied" (Unknown error). There is nothing in the Events > Logs. Nothing of note in docker logs. Authentik test mail can be sent from docker compose. Can't seem to put my finger on what is the issue. Using 2023.10 version.

    • @cooptonian
      @cooptonian  10 місяців тому

      ...maybe your token expired? Or do you have a policy that is failing?

  • @robhedrick9162
    @robhedrick9162 2 роки тому

    this is exactly what I was looking for thanks! Question, how might I require a user to select a 2fa method during enrollment?

    • @cooptonian
      @cooptonian  2 роки тому +1

      You're welcome...I am actually working on a video for that now which may include a bonus of using Duo (which isn't straight forward)

    • @cooptonian
      @cooptonian  2 роки тому +1

      ...here you go: ua-cam.com/video/whSBD8YbVlc/v-deo.html

  • @leoprisionero
    @leoprisionero Рік тому

    hahah good joke at the beginning mate! thanks for the vids, they helped me a lot. Greetings from Colombia

  • @rguifa
    @rguifa Рік тому

    Everything went smooth. Just one thing has me thinking. With the invitation link, I fill oout the form and submit it but it logs me in right away. In the video, the user is prompted to log in. My flow dows have a User Login Stage at the bottom with name default-source-enrollment-login

    • @cooptonian
      @cooptonian  Рік тому

      ...you can have the write stage as your last stage. With it not having a next stage it will kick you back to the login page. Or if you want it more elegantly done, after your write stage create/add a prompt stage of type 'static' as your last stage letting the newly enrolled user know that the process is complete or finished (this will leave a 'continue' button to be clicked on). The enrolled person clicks continue and it will bring up the login page...

    • @rguifa
      @rguifa Рік тому

      @@cooptonian Thank you, I will try it tomorrow.

  • @Kirigaya__Yuuki
    @Kirigaya__Yuuki 2 роки тому +1

    Videos are definitely "Authentik" 😂

  • @rguifa
    @rguifa Рік тому

    I have implemented Authentik with your videos and just realized that the sign up link still works even with the deny-enrollment stage binding created as described. Any ideas on how else I can get rid of the sign up option? If I turn off "evaluate on plan" on the deny-enrollment binding, then I get the expected error message. However, the enrollment via invitation link is also blocked, and the same error is shown.

    • @cooptonian
      @cooptonian  Рік тому

      ...weird, it shouldn't work especially if it is at the top of the flow as it is the very first thing evaluated. Are you sure you are not pulling up a cached page? Maybe the latest version broke something? In any case, if you are done with enrollment from the main page, just remove the link. Edit your default authentication flow > Identification stage and remove the option for enrollment... You can probably also create a deny policy; for more info on that, it is best to ask in the discord for ideas...

    • @rguifa
      @rguifa Рік тому

      @@cooptonian I tried removing the enrollment link and works, but if I paste the url then it loads the enrollment page. For some magical reason the expected error message now pops up again. There is no signup link now, the invitation works. Thanks

    • @cooptonian
      @cooptonian  Рік тому

      @@rguifa sure, you're welcome!

  • @kareemschultz
    @kareemschultz 2 роки тому

    Can you do one showing ldap integration?

    • @cooptonian
      @cooptonian  2 роки тому

      Another UA-cam user on here by the name of Rob Hedrick or better yet in the Authentik Discord server @Hooray4Rob has actually submitted a PR request that has been merged to Authentik's docs regarding Generic LDAP setup...have you seen it >> goauthentik.io/docs/providers/ldap/generic_setup ? It is pretty awesome as it is clear and concise with exact screenshots of the steps...

  • @war3zlod3r
    @war3zlod3r Рік тому

    I had this working but now after attempting to sign up I just get a spinning wheel and it never sends the email, verified I still have the correct settings in my .env

    • @cooptonian
      @cooptonian  Рік тому

      ...check for errors in your event logs as well as docker logs to narrow your issue... Also check that all related authentik containers are up and running and haven't exited/stopped for whatever reason. If nothing has changed at all, doesn't hurt to just restart all the containers.

  • @lukasjajko
    @lukasjajko 10 місяців тому

    in which video do you set up password-complexity? you refer to something, but do not link the actual video. i am confused

    • @cooptonian
      @cooptonian  10 місяців тому +1

      ...previous to this video was my Authentik - Password Recovery Flow Setup ( ua-cam.com/video/NKJkYz0BIlA/v-deo.html )

    • @lukasjajko
      @lukasjajko 10 місяців тому +1

      @@cooptonian thanks mate, your tutorials are awesome!

  • @CanerAras
    @CanerAras 6 місяців тому

    how to return that application main page if login or register succesfully?

    • @cooptonian
      @cooptonian  6 місяців тому

      ...not sure what you mean? The application dashboard? The user would just need to login to the main authentik page after registering...

  • @john27638
    @john27638 2 роки тому

    Not sure if this is possible with Authentik, but if it is possible, can you create a video on how to setup a flow that deactivates a user and forces them to change their password to get reactivated?

    • @cooptonian
      @cooptonian  2 роки тому

      ...yeah, I am not sure if this is possible or not either. But if it was, I imagine it would be through an expression policy. For example, if the last log in for a user currently logging in is more than 90 days (if the expression policy can check login logs), then force a password reset...but this would only trigger for that user currently logging in. What would be better would be some kind of cronjob that checks the length of time between logins then runs a script/authentik command to disable the user... Unfortunately, I didn't see any documentation for ALL Authentik command line commands available...

  • @ItsDevOps
    @ItsDevOps Рік тому

    The one thing that authentik is better with is for the registration process - authelia’s process is to manual.

  • @geekyouth
    @geekyouth 10 місяців тому

    The poor mosaic greatly reduces the quality of these videos.

  • @kevinkleiber
    @kevinkleiber Рік тому

    Amazing video, but I have a slightly different scenario to cover and need some help. My users just need to assign a password for themselves because their name, username and email are used to create their account beforehand. Now what I want is to send an email to each new user which tells them to set a password by following a link. Currently the accounts get created and the users have to set a password on their first login, but they don't get informed about the creation of their account. Any advice would be neat.

    • @cooptonian
      @cooptonian  Рік тому

      ...you can add a custom prompt stage of type static at the very end of the flow to let them know the account has been created (this is a message prompt with a continue button). Once they click continue it just reloads the main login page (to add some actual logic to it, you can add an expression policy to check that the user exists). Or if you really want to send an email, add another email stage and use the reset password template.