Configure K3s for OIDC authentication with Authentik - Cookbook

Feb '24

turtlebits

Your article says " Remember how we setup a groups property-mapper when deploying authentik? "

I don’t see this step in the deploying authentik article. I tried adding a groups Scope mapping in authentik with the expression return user.groups, but i’m not getting the groups in the token.

It appears that group should come back automatically as part of authentik default OAuth Mapping: OpenID 'profile', as it’s expression contains. "groups": [group.name for group in request.user.ak_groups.all()],. but it is not.

I’ve also tried appending --exec-arg=--oidc-extra-scope=groups to the kubectl config set-credentials oidc with no luck.

Any ideas?

Thanks!

1 reply

Mar '24

dan-m8t

The stated redirect URL in the provider config for authentik is wrong. Instead of http://localhost:18000 it is just http://localhost:8000

Apr '24 ▶ turtlebits

lwj

Hey, just ran into this same issue. Adding --exec-arg=--oidc-extra-scope=profile to the login command seems to work, as groups get returned when requesting that scope.

Aug '24

thaynes43

This references a cluster-admin role to map to the group but no roles are in Authentik by default. Am I missing a step or do I just create a placeholder role for now and add it to that group? I noticed this Setup Authentik for Kubernetes Authentication Page is missing so I was worried I missed a step or two.

1 reply

Aug '24 ▶ thaynes43

funkypenguin Chef

cluster-admin is a standard Kubernetes ClusterRole, which is basically “god mode”. You don’t need to add it to Authentik, this step is preparing the way to configure Kubernetes to assign the cluster-admin ClusterRole to authentik users in the admin-kube-apiserver group. You can safely proceed, you’ve not missed a step

Aug '24

thaynes43

Ah thanks! That makes sense. I’m not sure I caught this bit though:

Remember how we setup a groups property-mapper when deploying authentik? When kube-apiserver requests the groups scope from Authentik, the mapper will return all a user’s group names.

I don’t think I have anything linking the CRD to the group in Authentik. I’ll keep poking around.

1 reply

Aug '24 ▶ thaynes43

thaynes43

OK I figured out how to get the group from authentik to map to the ClusterRole via the ClusterRoleBinding. I had to add - "oidc-groups-prefix=oidc:" to the config.yaml in the k3s folder and access was granted! Thanks for the tutorials, will hit the dashboard up next to see this in action.