#!/usr/bin/env bash # ============================================================================= # configure-authentik-oidc.sh # Configures Authentik with an OIDC Provider and Application for Kibana SSO # Run AFTER Authentik is fully started and accessible # ============================================================================= set -euo pipefail AUTHENTIK_URL="${1:-http://localhost:9000}" BOOTSTRAP_TOKEN="${2:-bootstrap-token-elk-lab-2024}" KIBANA_URL="https://kibana.elk.local:30443" AUTH_HEADER="Authorization: Bearer ${BOOTSTRAP_TOKEN}" CT="Content-Type: application/json" echo "=== Configuring Authentik OIDC for Kibana ===" echo "Authentik URL: ${AUTHENTIK_URL}" # Wait for Authentik echo ">>> Waiting for Authentik API..." until curl -sf "${AUTHENTIK_URL}/-/health/ready/" > /dev/null 2>&1; do echo " Waiting..." sleep 5 done echo " Authentik is ready!" # --- Step 1: Create a Certificate-Key Pair (optional, for signed JWTs) --- echo ">>> Creating certificate key pair..." CERT_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/crypto/certificatekeypairs/generate/" \ -H "${AUTH_HEADER}" -H "${CT}" \ -d '{ "common_name": "kibana-oidc-signing", "subject_alt_name": "kibana.elk.local", "validity_days": 365 }' 2>/dev/null || echo '{}') CERT_ID=$(echo "$CERT_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('pk',''))" 2>/dev/null || echo "") echo " Certificate ID: ${CERT_ID:-skipped}" # --- Step 2: Create Scope Mappings (if not already present) --- echo ">>> Checking scope mappings..." SCOPES_RESP=$(curl -sf "${AUTHENTIK_URL}/api/v3/propertymappings/scope/?ordering=scope_name" \ -H "${AUTH_HEADER}" 2>/dev/null || echo '{"results":[]}') # --- Step 3: Create OIDC Provider --- echo ">>> Creating OIDC Provider for Kibana..." PROVIDER_BODY=$(cat </dev/null || echo '{}') PROVIDER_ID=$(echo "$PROVIDER_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('pk',''))" 2>/dev/null || echo "") if [ -z "$PROVIDER_ID" ]; then echo " Provider may already exist, looking it up..." PROVIDER_ID=$(curl -sf "${AUTHENTIK_URL}/api/v3/providers/oauth2/?search=Kibana" \ -H "${AUTH_HEADER}" | python3 -c "import sys,json; r=json.load(sys.stdin)['results']; print(r[0]['pk'] if r else '')" 2>/dev/null || echo "") fi echo " Provider ID: ${PROVIDER_ID}" # --- Step 4: Create Application --- echo ">>> Creating Kibana Application..." APP_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/core/applications/" \ -H "${AUTH_HEADER}" -H "${CT}" \ -d "{ \"name\": \"Kibana\", \"slug\": \"kibana\", \"provider\": ${PROVIDER_ID}, \"meta_launch_url\": \"${KIBANA_URL}\", \"meta_description\": \"ELK Stack - Kibana Dashboard\", \"policy_engine_mode\": \"any\" }" 2>/dev/null || echo '{}') APP_SLUG=$(echo "$APP_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('slug',''))" 2>/dev/null || echo "") if [ -z "$APP_SLUG" ]; then echo " Application may already exist." APP_SLUG="kibana" fi echo " Application slug: ${APP_SLUG}" echo "" echo "╔══════════════════════════════════════════════════════════════╗" echo "║ Authentik OIDC Configuration Complete! ║" echo "╠══════════════════════════════════════════════════════════════╣" echo "║ ║" echo "║ OIDC Provider: Kibana OIDC Provider ║" echo "║ Client ID: kibana ║" echo "║ Client Secret: kibana-client-secret-2024 ║" echo "║ Application: kibana ║" echo "║ ║" echo "║ Issuer URL: ║" echo "║ ${AUTHENTIK_URL}/application/o/kibana/ ║" echo "║ ║" echo "║ Endpoints: ║" echo "║ Authorization: .../application/o/authorize/ ║" echo "║ Token: .../application/o/token/ ║" echo "║ UserInfo: .../application/o/userinfo/ ║" echo "║ JWKS: .../application/o/kibana/jwks/ ║" echo "║ ║" echo "╚══════════════════════════════════════════════════════════════╝"