[HELP] Could you help to configure with Authentik?

[eirisdg]

Expected
Authentik es an authentication provider with most of protocols, OIDC included.

I don't know how to configure it with Nexus and this plugin.
Could you help us with a sample config?

Thanks

[tumbl3w33d]

I don't know much about Authentik, so don't be mad if I lead you the wrong way, please. ;)

The plugin expects a certain set of headers which you can find here. The idea is that you deploy OAuth2 Proxy together with Nexus and route your users to it. This has the effect that the aforementioned headers will be added to requests and Nexus can identify you and grant access.

Now from what I understand skimming the Authentik docs, you could probably replace the entire OAuth2 Proxy with it, however, the headers seem to be named differently. That means, if you want to go down that route, you would need to add some logic to rewrite headers (either Authentik allows configuring this or you need another proxy in the line that is able to do that).

The other option would be registering an OAuth2 Proxy as OAuth2 application with Authentik. I can't tell you the exact settings because I haven't used it, but what it comes down to is that the OAuth2 Proxy needs the usual client_id and client_secret, like any other relying party connected via OAuth2 would. Then you configure the OAuth2 Proxy with it (see README.md) and everything "should just work™".

It probably makes sense to look at the troubleshooting section of our README as well. It explains how to activate logging for the headers, so you can see whether the necessary data flows in.

I'm quite confident you can make this work. I would probably go down the header name rewriting route if Authentik can do the rest, but that is the more advanced solution and no one has tested it with this plugin. But as I said: As long as you can fill the mentioned headers with the necessary data, you should be just fine.

[eirisdg]

I think that a mapping can be done with the property mappings: https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/custom_headers

I'm going to read deeply... thanks :)

[eirisdg]

Done. I'll upload some docummentation tomorrow.

[eirisdg]

For anyone who want to use Sonatype Nexus with Authentic, here are some steps:

• In Authentik:

  • Create a property mapping:
    

  • Create a Provider and add the scope:
    

  • Create an Application and select Provider for Nexus as Provider:
    

  • Create a new Outpost and setup the configuration you need:
    
    Make sure to set the ingress-class if you are in Kubernetes

• In Nexus:

  • Create an external role mapping. Make sure you map the admin group in your IdP, or you will lose admin access:
    

• In Kubernetes ingress:

  • Add the corresponding annotations in the ingress of the Nexus app:
    

[tumbl3w33d]

I'm glad you made it work. Thank you for that documentation! Make sure your setup drops these headers when the user sets them on the request by themselves, else they can login as anyone they like.