authentik

package
v1.22.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 26, 2026 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package authentik provides an integration definition for Authentik (https://goauthentik.io), an open-source identity provider designed for self-hosted and on-premise deployments.

Overview

This integration connects an Authentik instance to OpenLane using API token authentication, enabling directory sync of users, groups, and group memberships for identity posture and access governance workflows.

Authentication

The integration authenticates using a static API token generated from the Authentik admin panel. The token is scoped to a service account and passed as a Bearer token on every API request. No OAuth2 flow or token refresh is required.

Directory Sync

The directory sync operation pulls the following resources from the connected Authentik instance and normalizes them into OpenLane's internal directory schemas:

  • DirectoryAccount: Authentik users (internal and external types)
  • DirectoryGroup: Authentik groups with classification derived from is_superuser
  • DirectoryMembership: Group membership relationships between accounts and groups

Users of type service_account and internal_service_account are included in the sync but mapped to the SERVICE account type. Group sync can be disabled via the DisableGroupSync option in UserInput.

Configuration

The following options are available when connecting an Authentik instance:

  • BaseURL: The base URL of the Authentik instance (e.g. https://authentik.mycompany.com)
  • Token: A static API token generated from the Authentik admin panel
  • DisableGroupSync: When true, only users are synced; groups and memberships are skipped
  • PrimaryDirectory: Marks this installation as the authoritative source for identity holder enrichment
  • FilterExpr: An optional CEL expression applied to records before ingestion

SDK

This integration uses the official Authentik Go SDK (goauthentik.io/api/v3), which is generated from Authentik's OpenAPI schema and versioned per Authentik release. This ensures breaking API changes are caught at compile time when the SDK version is updated.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrAPITokenMissing indicates the API token is missing from the credential
	ErrAPITokenMissing = errors.New("authentik: api token missing")
	// ErrBaseURLMissing indicates the Authentik base URL is missing from the credential
	ErrBaseURLMissing = errors.New("authentik: base url missing")
	// ErrClientType indicates the provided client is not the expected authentik client type
	ErrClientType = errors.New("authentik: unexpected client type")
	// ErrClientConfigInvalid indicates the Authentik client configuration is invalid
	ErrClientConfigInvalid = errors.New("authentik: client config invalid")
	// ErrCredentialEncode indicates the credential could not be serialized
	ErrCredentialEncode = errors.New("authentik: credential encode failed")
	// ErrCredentialDecode indicates the credential could not be deserialized
	ErrCredentialDecode = errors.New("authentik: credential decode failed")
	// ErrHealthCheckFailed indicates the health check request failed
	ErrHealthCheckFailed = errors.New("authentik: health check failed")
	// ErrDirectoryUsersFetchFailed indicates the users listing failed
	ErrDirectoryUsersFetchFailed = errors.New("authentik: directory users fetch failed")
	// ErrDirectoryGroupsFetchFailed indicates the groups listing failed
	ErrDirectoryGroupsFetchFailed = errors.New("authentik: directory groups fetch failed")
	// ErrDirectoryGroupMembersFetchFailed indicates the group members listing failed
	ErrDirectoryGroupMembersFetchFailed = errors.New("authentik: directory group members fetch failed")
	// ErrPayloadEncode indicates a provider payload could not be serialized
	ErrPayloadEncode = errors.New("authentik: payload encode failed")
	// ErrResultEncode indicates an operation result could not be serialized
	ErrResultEncode = errors.New("authentik: result encode failed")
)

Functions

func Builder 

func Builder() registry.Builder

Builder returns the Authentik definition builder

Types

type Client 

type Client struct{}

Client builds Authentik API clients for one installation

func (Client) Build 

func (Client) Build(_ context.Context, req types.ClientBuildRequest) (any, error)

Build constructs the Authentik API client for one installation

type CredentialSchema 

type CredentialSchema struct {
	// BaseURL is the base URL of the Authentik instance
	BaseURL string `json:"baseUrl" jsonschema:"required,title=Base URL"`
	// Token is the Authentik API token
	Token string `json:"token" jsonschema:"required,title=API Token"`
}

CredentialSchema holds the Authentik instance credentials for one installation

type DirectorySync 

type DirectorySync struct{}

DirectorySync collects Authentik directory users, groups, and memberships for ingest

func (DirectorySync) IngestHandle 

func (d DirectorySync) IngestHandle() types.IngestHandler

IngestHandle adapts directory sync to the ingest operation registration boundary

func (DirectorySync) Run 

func (DirectorySync) Run(ctx context.Context, c *authentikSDK.APIClient, cfg UserInput, lastRunAt *time.Time) ([]types.IngestPayloadSet, error)

Run collects Authentik directory users, groups, and memberships

type HealthCheck 

type HealthCheck struct {
	// PK is the Authentik user identifier
	PK int32 `json:"pk"`
	// Username is the Authentik service account username
	Username string `json:"username"`
	// Email is the Authentik service account email
	Email string `json:"email"`
}

HealthCheck holds the result of an Authentik health check

func (HealthCheck) Handle 

func (h HealthCheck) Handle() types.OperationHandler

Handle adapts the health check to the generic operation registration boundary

func (HealthCheck) Run 

func (HealthCheck) Run(ctx context.Context, c *authentikSDK.APIClient) (json.RawMessage, error)

Run executes the Authentik health check

type InstallationMetadata 

type InstallationMetadata struct {
	// Brand is the Authentik instance brand name
	Brand string `json:"brand,omitempty"`
	// Host is the HTTP host of the Authentik instance
	Host string `json:"host,omitempty"`
	// BaseURL is the base URL of the Authentik instance
	BaseURL string `json:"baseUrl,omitempty"`
}

InstallationMetadata holds the stable Authentik instance identity for one installation

func (InstallationMetadata) InstallationIdentity 

func (m InstallationMetadata) InstallationIdentity() types.IntegrationInstallationIdentity

InstallationIdentity implements types.InstallationIdentifiable

type UserInput 

type UserInput struct {
	// PrimaryDirectory marks this installation as the authoritative source for identity holder sync
	PrimaryDirectory bool `` /* 165-byte string literal not displayed */
	// DisableGroupSync when true only syncs users, skipping groups and memberships
	DisableGroupSync bool `` /* 144-byte string literal not displayed */
	// FilterExpr limits imported records to envelopes matching a CEL expression
	FilterExpr string `` /* 181-byte string literal not displayed */
}

UserInput holds installation-specific configuration collected from the user

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.