Tandoor Recipes Integration with Authentik

My wife has shown some interest in using Tandoor Recipes and instead of having her have to remember a number of different usernames and passwords for any of these applications I'm playing with, or having to manage a number of different usernames and passwords for her, I would prefer to integrate it with Authentik to streamline her access. I found the following documentation, which along with my notes from Bookstacks's integration I am hopeful it will be enough to piece it together.

• https://github.com/goauthentik/authentik/pull/6609/files#diff-59a774b7f02f3a1a7ec75ff0a42ca3628193b77086110ef5099b9193d1013d2e
• https://github.com/TandoorRecipes/recipes/issues/970
• https://docs.tandoor.dev/features/authentication/

Steps performed in AUTHENTIK Security

• I Navigate to the Admin Interface
• I click on the Applications header
• I click on Providers
• I then click on Create

My next step is to select the type of provider. The documentation doesn't spell it out directly, but it looks like it is saying Tandoor uses Django Allauth, which supports OpenID. So that seems like the best course to start down. It does look like Tandoor does have some additional documentation for using LDAP. If I failed with OpenID I can fallback and try LDAP.

• I select OAuth2/OpenID provider
• I click Next
• Name: Tandoor-Recipes
• Authentication flow: blank
• Authorization flow: default-provider-authentication-explicit-consent (Authorize Application)
• Client Type: Confidential
• Client ID: XXXXXXXXXXXX
• Client Secret: XXXXXXXXXXXXX
• Redirect URIs/Origins (RegEx): https://tandoor.domain.com/accounts/authentik/login/callback
• Signing Key: authentik Self-signed Certificate
• I click on Finish
• I navigate to Applications
• I click on Create
  • Name: Tandoor-Recipes
  • Slug: tandoor-recipes
  • Provider: Tandoor-Recipes
  • I click on Create

Steps performed on Tandoor Recipes via DOCKER-01

• cd /apps/Tandoor-Recipes

It looks like I am supposed to set up the variables server_url, client_id, and secret in the .env file. Except none of those are actual variables in Tandoor's documentation. I can map this out. It looks like server_url would map to SOCIAL_PROVIDERS. I'm assuming client_id matches up with REMOTE_USER_AUTH. I believe secret would correspond with SECRET_KEY.

• sudo nano .env
• I add the following:

# Using Authentik OAuth2/OpenID for authentication.
SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid
SOCIALACCOUNT_PROVIDERS={"openid":{"SERVER":"https://authentik.domain.com"}}
REMOTE_USER_AUTH=1
SOCIAL_DEFAULT_ACCESS=1
SOCIAL_DEFAULT_GROUP=guest

• I save the file .env
• sudo docker-compose stop
• sudo docker-compose up -d

Well it is now showing up with the Social Login options of Yahoo, Hyves, and Sign in using OpenID. The Sign in with OpenID option wants me to type in a URL which throws an error if I type in Authentik's address. It seems like I need to update some OpenID configuration file but I can't find any information on where that might actually live.

What if I switch over and try LDAP instead? Nope, I can't seem to get that to work either. After reading for a little bit longer I find an additional thread on GitHub that helps me out. Here's what I ended up having to do:

Steps performed in Authentik Security

• I navigate to Applications header
• I click on Providers
  • I select OAuth2/OpenID Provider
  • Name: Tandoor-Recipes
  • Authentication flow: default-authentication-flow (Welcome to authentik!)
  • Authorization flow: default-provider-explicit-consent (Authorize Application)
  • Client Type: Confidential
  • Client ID: XXXXXXXXXXXXX
  • Client Secret: XXXXXXXXXXXX
  • Redirect URIs/Origins (RegEx): https://tandoor.domain.com/accounts/authentik/login/callback/
  • Signing Key: authentik Self-Signed Certificate
• I navigate to Applications
  • Name: Tandoor-Recipes
  • Slug: tandoor-recipes
  • Group: (blank)
  • Provider: Tandoor-Recipes
  • Policy engine mode: Any

Steps performed on Tandoor Recipes via DOCKER-01

• sudo nano /apps/Tandoor-Recipes/.env
• I add the following to the file:

# Using Authentik OAuth2/OpenID for authentication.
SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
SOCIALACCOUNT_PROVIDERS={ "openid_connect": { "SERVERS": [{ "id": "authentik", "name": "Authentik", "server_url": "https://authentik.domain.com/application/o/tandoor-recipes/.well-known/openid-configuration", "token_auth_method": "client_secret_basic", "APP": { "client_id": "XXXXXXXXXXXX", "secret": "XXXXXXXXXXXXX" } } ] } }

• I save the file .env

With that setup it is working, but of note when you bring up the login page in Tandoor Recipes you hit "Sign in using Authentik" instead of the normal login button.