Authentik m2m/machine-to-machine/service accounts AND OAuth2-Proxy

[ksaadDE]

The problem with OAuth-Proxy is that it only forwards to the default login page, which works quite well for normal human accounts, but not for m2m.

Currently Authentik's client_grant (for machine-to-machine/m2m/service-to-service) does not seem to work, which could return a JWT being passed down to Oauth2-proxy, which it could verify. As more specified in my second message of today.

Better would be OAuth2-Proxy requesting itself a Token via the Authentik Endpoint using the middleware. So it can only use the username + token. For that Authentik people and OAauth2-Proxy people could work together. To make m2m work with both via each other.

Furthermore, the docs are quite insufficient regarding m2m/service accounts, requesting and using tokens for it.

To setup service accounts and the tokens: Basically, one needs to add a service account, then link it with the provider and then manually add a token and copy it over (its not shown directly, and if the clip board permission is not given it is shown as a weird popup). More over, there are settings to set APP Password or API Token. Then the /application/o/token/ route is HTTP POST requested eventually returning a JWT access_token or a error message invalid grant.

How can we fix that? While it seems to be an issue on oauth2-proxy side. The benefit of usability, security, stability & ergonomics (instead of implementing Authentik calls in every backend service) outweights all our other efforts

OAuth2-Proxy Issues regarding M2M & the Feature request

• [Bug]: M2M Authentication not getting passed login page oauth2-proxy/oauth2-proxy#2944
• [Feature]: OAuth-Proxy supports Authentik m2m/service-to-service/machine-to-machine/service accounts oauth2-proxy/oauth2-proxy#2966

Authentik's client_credentials grant issues

• Misuse of client_credentials and password grant #6139
• How to setup Authentik for OAuth2 Password Grant? #5860

[ksaadDE]

OAuth2-Proxy Problem

Currently, OAuth2-Proxy can not do the request, as it only looks for the JWT and verifies it.

Thus a JWT access_token by Authentik could be externally be requested and passed down to OAuth2-Proxy which is a annoying solution.

A much preferable solution would be a direct implementation in the OAuth2-Proxy Go Middleware linked in the OAuth2-Proxy Feature Request: oauth2-proxy/oauth2-proxy#2966. Which has been done for other Auth/ID services.

So we can let OAuth-Proxy do the requests to Authentik after only receiving the username + token for m2m, then returning the JWT, storing it as with the other JWTs, and using the regular JWT flow for the m2m requests.

client_credentials grant issues

Authentik offers the OAuth2 client_credentials grant for machine-to-machine(M2M) or service-to-service, returning JWT access_tokens as correctly documented here: https://docs.goauthentik.io/docs/add-secure-apps/providers/oauth2/client_credentials

A lot of confusion exists around forementioned OAuth2 client_credentials grant that returns a JWT access_token on Authentik via API endpoint application/o/token

• Misuse of client_credentials and password grant #6139
• How to setup Authentik for OAuth2 Password Grant? #5860

Documentation Improvements required

As @BeryJu mentions in #5860, the documentation needs to be more precise and code examples where to find e.g. the Token and the Client_ID (Application ID or AUD) required for the request. The token is currently separated from the machine account in another Tab Tokens, below the so-called Directory, which is seemingly in the thought line of Active Directory. How to request the access_token via /application/o/token/ is documented but only

client_credentials grant not working

In my tests, even if configured in Tokens Tab as Api Token and Password Token, the Authentik endpoint returns the invalid_grant error message, as mentioned in issue #5860 (comment). For an example script, kindly look at my comment #5860 (comment)

My tiny mistake (HTTP Basic Auth from the issue)

Seemingly, I misunderstood a cruicial part in the issue mentioning HTTP Basic Auth in issue #4435 (comment). That part was about Nginx as outpost + Authentik + Authorization header, despite the docs not mentioning this functionality around nginx+BasicAuth either. (No idea about the details!)