Digitalboard/digitalboard.core
5
2
Fork 0
Code Pull requests Releases Packages Activity Actions

feat: add ability to provision entra login sources using blueprints

Browse source
This commit is contained in:
Bert-Jan Fikse 2026-01-14 15:35:18 +01:00
parent 0106e8801f
commit 359622d17a
Signed by: bert-jan
GPG key ID: C1E0AB516AC16D1A
4 changed files with 100 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

24
roles/authentik/defaults/main.yml
View file

@ -74,3 +74,27 @@ authentik_oidc_apps: []
authentik_blueprint_env: [] authentik_blueprint_env: []
# GRAFANA_OIDC_CLIENT_ID: "grafana" # GRAFANA_OIDC_CLIENT_ID: "grafana"
# GRAFANA_OIDC_CLIENT_SECRET: "{{ vault_grafana_oidc_secret }}" # GRAFANA_OIDC_CLIENT_SECRET: "{{ vault_grafana_oidc_secret }}"
# ENTRA_TENANT_ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# ENTRA_CLIENT_ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# ENTRA_CLIENT_SECRET: "{{ vault_entra_client_secret }}"
# Oauth sources
authentik_entra_sources: []
# - slug: entra-id
# name: "Login with Entra"
# tenant_mode: single # single | common
# tenant_id_env: ENTRA_TENANT_ID
# client_id_env: ENTRA_CLIENT_ID
# client_secret_env: ENTRA_CLIENT_SECRET
# scopes:
# - openid
# - profile
# - email
# # add only if you really need group sync on login:
# # - https://graph.microsoft.com/GroupMember.Read.All
# Show Entra on login screen:
authentik_login_source_ids: []
# - "source-entra-entra-id"
authentik_identification_stage_name: default-authentication-identification

17
roles/authentik/tasks/main.yml
View file

@ -62,6 +62,21 @@
loop: "{{ authentik_proxy_outposts }}" loop: "{{ authentik_proxy_outposts }}"
register: outpost_bp register: outpost_bp
- name: Render Entra source blueprints
ansible.builtin.template:
src: blueprints/blueprint-source-entra.yaml.j2
dest: "{{ authentik_docker_volume_dir }}/blueprints/20-source-entra-{{ item.slug }}.yaml"
mode: "0644"
loop: "{{ authentik_entra_sources }}"
register: entra_bp
- name: Render login stage sources blueprint
ansible.builtin.template:
src: blueprints/blueprint-login-sources.yaml.j2
dest: "{{ authentik_docker_volume_dir }}/blueprints/21-login-sources.yaml"
mode: "0644"
register: login_bp
- name: Create docker-compose file for authentik - name: Create docker-compose file for authentik
template: template:
src: docker-compose.yml.j2 src: docker-compose.yml.j2
@ -78,5 +93,7 @@
(oidc_templates is defined and (oidc_templates.results | selectattr('changed') | list | length > 0)) (oidc_templates is defined and (oidc_templates.results | selectattr('changed') | list | length > 0))
or (proxy_templates is defined and (proxy_templates.results | selectattr('changed') | list | length > 0)) or (proxy_templates is defined and (proxy_templates.results | selectattr('changed') | list | length > 0))
or (outpost_bp is defined and (outpost_bp.results | selectattr('changed') | list | length > 0)) or (outpost_bp is defined and (outpost_bp.results | selectattr('changed') | list | length > 0))
or (entra_bp is defined and (entra_bp.results | selectattr('changed') | list | length > 0))
or (login_bp is defined and login_bp.changed)
) | ternary('always','auto') ) | ternary('always','auto')
}} }}

18
roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2 Normal file
View file

@ -0,0 +1,18 @@
# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
version: 1
metadata:
name: "login-sources"
labels:
blueprints.goauthentik.io/instantiate: "true"
blueprints.goauthentik.io/description: "Set sources on the identification stage"
entries:
- model: authentik_stages_identification.identificationstage
identifiers:
name: "{{ authentik_identification_stage_name }}"
attrs:
# NOTE: this SETS the sources list (it doesnt append).
sources:
{% for src_id in authentik_login_source_ids %}
- !KeyOf {{ src_id }}
{% endfor %}

40
roles/authentik/templates/blueprints/blueprint-source-entra.yaml.j2 Normal file
View file

@ -0,0 +1,40 @@
# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
version: 1
metadata:
name: "source-entra-{{ item.slug }}"
labels:
blueprints.goauthentik.io/instantiate: "true"
blueprints.goauthentik.io/description: "Microsoft Entra ID OAuth source ({{ item.slug }})"
entries:
- model: authentik_sources_oauth.oauthsource
id: source-entra-{{ item.slug }}
identifiers:
slug: {{ item.slug }}
attrs:
name: "{{ item.name | default('Microsoft Entra ID') }}"
slug: {{ item.slug }}
# Authentiks OAuth sources support vendor-specific types.
# Entra guide calls it “Entra ID OAuth Source”.
provider_type: entraid
consumer_key: !Env {{ item.client_id_env }}
consumer_secret: !Env {{ item.client_secret_env }}
scopes:
{% for s in (item.scopes | default(['openid','profile','email'])) %}
- {{ s }}
{% endfor %}
{% if (item.tenant_mode | default('single')) == 'single' %}
authorization_url: !Format ["https://login.microsoftonline.com/%s/oauth2/v2.0/authorize", !Env {{ item.tenant_id_env }}]
access_token_url: !Format ["https://login.microsoftonline.com/%s/oauth2/v2.0/token", !Env {{ item.tenant_id_env }}]
profile_url: "https://graph.microsoft.com/v1.0/me"
oidc_jwks_url: !Format ["https://login.microsoftonline.com/%s/discovery/v2.0/keys", !Env {{ item.tenant_id_env }}]
{% else %}
authorization_url: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
access_token_url: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
profile_url: "https://graph.microsoft.com/v1.0/me"
oidc_jwks_url: "https://login.microsoftonline.com/common/discovery/v2.0/keys"
{% endif %}