Skip to content

How to Configure Authentik OIDC

Configure OIDC authentication using Authentik and Terraform automation.

make tf-init
make tf-apply

Terraform creates: - OIDC provider - OAuth2 application - Test users (alice, bob, charlie) - Updates .env with client secret

Manual Setup

1. Access Authentik Admin

make auth-password

Open http://authentik-server:9000 and login as akadmin.

2. Create OIDC Provider

  1. Admin > Providers > Create
  2. Select OAuth2/OpenID Provider
  3. Configure:
  4. Name: webapp-provider
  5. Authorization flow: default-provider-authorization-implicit-consent
  6. Client type: Confidential
  7. Client ID: webapp
  8. Redirect URIs: http://localhost:8000/auth/callback

3. Create Application

  1. Admin > Applications > Create
  2. Configure:
  3. Name: FastAPI Topaz Webapp
  4. Slug: webapp
  5. Provider: webapp-provider
  6. Launch URL: http://localhost:8000

4. Create Test Users

  1. Directory > Users > Create
  2. For each user:
  3. Username: alice, bob, charlie
  4. Email: alice@example.com, etc.
  5. Password: password

5. Update .env

OIDC_CLIENT_ID=webapp
OIDC_CLIENT_SECRET=<from provider>
OIDC_ISSUER=http://authentik-server:9000/application/o/webapp/

6. Restart Webapp

docker-compose restart webapp

Terraform Configuration

Provider Setup

File: terraform/authentik-webapp/providers.tf

terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
      version = "~> 2024.0"
    }
  }
}

provider "authentik" {
  url   = "http://localhost:9000"
  token = var.authentik_token
}

Add Users

File: terraform/authentik-webapp/variables.tf

variable "test_users" {
  default = [
    {
      username = "alice"
      name     = "Alice Smith"
      email    = "alice@example.com"
      password = "password"
    },
    {
      username = "bob"
      name     = "Bob Jones"
      email    = "bob@example.com"
      password = "password"
    },
  ]
}

Apply changes: 

make tf-apply

Bootstrap Token

The bootstrap token enables Terraform API access:

# env.authentik
AUTHENTIK_BOOTSTRAP_TOKEN=changeme-bootstrap-token
AUTHENTIK_BOOTSTRAP_PASSWORD=adminpass

Terraform uses this token: 

export TF_VAR_authentik_token=$(grep AUTHENTIK_BOOTSTRAP_TOKEN env.authentik | cut -d= -f2)

Troubleshooting

Cannot connect to Authentik

curl http://localhost:9000/-/health/ready/

Token invalid

grep AUTHENTIK_BOOTSTRAP_TOKEN env.authentik
make tf-init

Reset Authentik

make wipe-auth
make up
make tf-apply

Security Notes

For production: 1. Generate strong random secrets 2. Enable HTTPS 3. Use environment variable injection 4. Rotate bootstrap token 5. Restrict admin access

See Also