Configuration
Before deploying the authentik Agent, configure your authentik deployment. This involves:
- Importing the Device code flow
- Creating an OAuth application and provider
- Creating a Connector
Import OAuth device code flow
The OAuth device code flow enables secure authentication for input-limited clients like CLI tools and is required for the authentik Agent to function.
If you have already deployed the authentik OAuth device code flow, skip to the next section.
- Download the device code flow blueprint file.
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Flows and Stages > Flows.
- Click Import
- Select the downloaded blueprint and click Import.
- Navigate to System > Brands and click the Edit icon on the default brand.
- Set Default code flow to the newly created device code flow and click Update.
Alternatively, manually create the flow by following the instructions in the Device code flow documentation.
Create an application and provider in authentik for CLI
The authentik agent requires an OAuth application/provider pair to handle authentication.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click Create with Provider to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- Application: provide a descriptive name (e.g.
authentik-cli), an optional group for the type of application, the policy engine mode, and optional UI settings. - Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the Client type to
Public. - Set the Client ID to
authentik-cli. - Select any available signing key.
- Under Advanced protocol settings:
- In addition to the three default Selected Scopes, add the
authentik default OAuth Mapping: OpenID 'offline_access'scope.
- In addition to the three default Selected Scopes, add the
- Set the Client type to
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage access to the application.
- Application: provide a descriptive name (e.g.
-
Click Submit to save the new application and provider.
Create the authentik Agent connector
The authentik Agent Connector allows device information to be reported to authentik.
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Endpoint Devices > Connectors and click Create.
- Select Agent Connector as the agent type and click Next.
- Configure the following required settings:
- Connector name: provide a descriptive name (e.g.
authentik Agent) - Refresh interval: select how often the agent will attempt to update its configuration.
- Enabled: toggle to enable the connector.
- Under Authentication settings:
- Federated OIDC Providers: add the
authentik-cliprovider that you created in the previous section.
- Federated OIDC Providers: add the
- Connector name: provide a descriptive name (e.g.
- Click Finish.