Bash/elk-stack-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
006532e81dd0e56c68e7895b4385e4f072fdf390
elk-stack-scripts/configure-authentik-oidc.sh
tsvetkov 006532e81d add bash scripts for elk stack
2026-02-27 09:48:42 +00:00

116 lines
5.4 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# =============================================================================
# configure-authentik-oidc.sh
# Configures Authentik with an OIDC Provider and Application for Kibana SSO
# Run AFTER Authentik is fully started and accessible
# =============================================================================
set -euo pipefail
AUTHENTIK_URL="${1:-http://localhost:9000}"
BOOTSTRAP_TOKEN="${2:-bootstrap-token-elk-lab-2024}"
KIBANA_URL="https://kibana.elk.local:30443"
AUTH_HEADER="Authorization: Bearer ${BOOTSTRAP_TOKEN}"
CT="Content-Type: application/json"
echo "=== Configuring Authentik OIDC for Kibana ==="
echo "Authentik URL: ${AUTHENTIK_URL}"
# Wait for Authentik
echo ">>> Waiting for Authentik API..."
until curl -sf "${AUTHENTIK_URL}/-/health/ready/" > /dev/null 2>&1; do
echo " Waiting..."
sleep 5
done
echo " Authentik is ready!"
# --- Step 1: Create a Certificate-Key Pair (optional, for signed JWTs) ---
echo ">>> Creating certificate key pair..."
CERT_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/crypto/certificatekeypairs/generate/" \
-H "${AUTH_HEADER}" -H "${CT}" \
-d '{
"common_name": "kibana-oidc-signing",
"subject_alt_name": "kibana.elk.local",
"validity_days": 365
}' 2>/dev/null || echo '{}')
CERT_ID=$(echo "$CERT_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('pk',''))" 2>/dev/null || echo "")
echo " Certificate ID: ${CERT_ID:-skipped}"
# --- Step 2: Create Scope Mappings (if not already present) ---
echo ">>> Checking scope mappings..."
SCOPES_RESP=$(curl -sf "${AUTHENTIK_URL}/api/v3/propertymappings/scope/?ordering=scope_name" \
-H "${AUTH_HEADER}" 2>/dev/null || echo '{"results":[]}')
# --- Step 3: Create OIDC Provider ---
echo ">>> Creating OIDC Provider for Kibana..."
PROVIDER_BODY=$(cat <<PROVIDER_JSON
{
"name": "Kibana OIDC Provider",
"authorization_flow": "default-provider-authorization-implicit-consent",
"client_type": "confidential",
"client_id": "kibana",
"client_secret": "kibana-client-secret-2024",
"redirect_uris": "${KIBANA_URL}/api/security/oidc/callback",
"signing_key": ${CERT_ID:+\"$CERT_ID\"}${CERT_ID:-null},
"sub_mode": "user_username",
"issuer_mode": "per_provider",
"access_code_validity": "minutes=1",
"access_token_validity": "minutes=5",
"refresh_token_validity": "days=30"
}
PROVIDER_JSON
)
PROVIDER_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/providers/oauth2/" \
-H "${AUTH_HEADER}" -H "${CT}" \
-d "${PROVIDER_BODY}" 2>/dev/null || echo '{}')
PROVIDER_ID=$(echo "$PROVIDER_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('pk',''))" 2>/dev/null || echo "")
if [ -z "$PROVIDER_ID" ]; then
echo " Provider may already exist, looking it up..."
PROVIDER_ID=$(curl -sf "${AUTHENTIK_URL}/api/v3/providers/oauth2/?search=Kibana" \
-H "${AUTH_HEADER}" | python3 -c "import sys,json; r=json.load(sys.stdin)['results']; print(r[0]['pk'] if r else '')" 2>/dev/null || echo "")
fi
echo " Provider ID: ${PROVIDER_ID}"
# --- Step 4: Create Application ---
echo ">>> Creating Kibana Application..."
APP_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/core/applications/" \
-H "${AUTH_HEADER}" -H "${CT}" \
-d "{
\"name\": \"Kibana\",
\"slug\": \"kibana\",
\"provider\": ${PROVIDER_ID},
\"meta_launch_url\": \"${KIBANA_URL}\",
\"meta_description\": \"ELK Stack - Kibana Dashboard\",
\"policy_engine_mode\": \"any\"
}" 2>/dev/null || echo '{}')
APP_SLUG=$(echo "$APP_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('slug',''))" 2>/dev/null || echo "")
if [ -z "$APP_SLUG" ]; then
echo " Application may already exist."
APP_SLUG="kibana"
fi
echo " Application slug: ${APP_SLUG}"
echo ""
echo "╔══════════════════════════════════════════════════════════════╗"
echo "║ Authentik OIDC Configuration Complete! ║"
echo "╠══════════════════════════════════════════════════════════════╣"
echo "║ ║"
echo "║ OIDC Provider: Kibana OIDC Provider ║"
echo "║ Client ID: kibana ║"
echo "║ Client Secret: kibana-client-secret-2024 ║"
echo "║ Application: kibana ║"
echo "║ ║"
echo "║ Issuer URL: ║"
echo "${AUTHENTIK_URL}/application/o/kibana/ ║"
echo "║ ║"
echo "║ Endpoints: ║"
echo "║ Authorization: .../application/o/authorize/ ║"
echo "║ Token: .../application/o/token/ ║"
echo "║ UserInfo: .../application/o/userinfo/ ║"
echo "║ JWKS: .../application/o/kibana/jwks/ ║"
echo "║ ║"
echo "╚══════════════════════════════════════════════════════════════╝"
Reference in New Issue View Git Blame Copy Permalink