mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
dc1ed2a59ea7e979827c96d4a2f3601092bd3b9b
stack/docs/1-getting-started/3-configuration/2-authentik.md
Jason Woltje 12abdfe81d feat(#93): implement agent spawn via federation 
Implements FED-010: Agent Spawn via Federation feature that enables
spawning and managing Claude agents on remote federated Mosaic Stack
instances via COMMAND message type.

Features:
- Federation agent command types (spawn, status, kill)
- FederationAgentService for handling agent operations
- Integration with orchestrator's agent spawner/lifecycle services
- API endpoints for spawning, querying status, and killing agents
- Full command routing through federation COMMAND infrastructure
- Comprehensive test coverage (12/12 tests passing)

Architecture:
- Hub → Spoke: Spawn agents on remote instances
- Command flow: FederationController → FederationAgentService →
  CommandService → Remote Orchestrator
- Response handling: Remote orchestrator returns agent status/results
- Security: Connection validation, signature verification

Files created:
- apps/api/src/federation/types/federation-agent.types.ts
- apps/api/src/federation/federation-agent.service.ts
- apps/api/src/federation/federation-agent.service.spec.ts

Files modified:
- apps/api/src/federation/command.service.ts (agent command routing)
- apps/api/src/federation/federation.controller.ts (agent endpoints)
- apps/api/src/federation/federation.module.ts (service registration)
- apps/orchestrator/src/api/agents/agents.controller.ts (status endpoint)
- apps/orchestrator/src/api/agents/agents.module.ts (lifecycle integration)

Testing:
- 12/12 tests passing for FederationAgentService
- All command service tests passing
- TypeScript compilation successful
- Linting passed

Refs #93

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 14:37:06 -06:00

8.4 KiB
Raw Blame History

Authentik OIDC Setup

Complete guide to configuring Authentik OIDC authentication for Mosaic Stack.

Overview

Mosaic Stack uses BetterAuth with OpenID Connect (OIDC) for authentication. Authentik serves as the identity provider for SSO capabilities.

Prerequisites

  • Authentik instance (self-hosted or cloud)
  • Admin access to Authentik
  • Mosaic Stack installed and running

Step 1: Install Authentik (Optional)

If you don't have an existing Authentik instance:

Docker Compose Method

# Create Authentik directory
mkdir ~/authentik && cd ~/authentik

# Download compose file
curl -o docker-compose.yml https://goauthentik.io/docker-compose.yml

# Generate secret key
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60)" >> .env

# Start Authentik
docker compose up -d

# Wait for startup (~30 seconds)
docker compose logs -f

Access Authentik:

Alternative: Use Hosted Authentik

Sign up at goauthentik.io for managed Authentik.

Step 2: Create OAuth2 Provider

  1. Log in to Authentik as admin

  2. Navigate to ApplicationsProviders

  3. Click "Create" and select OAuth2/OpenID Provider

  4. Configure Provider:

    Field Value
    Name Mosaic Stack
    Authorization flow default-provider-authorization-implicit-consent
    Client type Confidential
    Client ID (auto-generated, save this)
    Client Secret (auto-generated, save this)
    Redirect URIs http://localhost:3001/auth/callback
    Scopes openid, email, profile
    Subject mode Based on User's UUID
    Include claims in id_token Enabled

  5. Click "Create"

  6. Save the Client ID and Client Secret for Step 4

Step 3: Create Application

  1. Navigate to ApplicationsApplications

  2. Click "Create"

  3. Configure Application:

    Field Value
    Name Mosaic Stack
    Slug mosaic-stack
    Provider Select "Mosaic Stack" (created in Step 2)
    Launch URL http://localhost:3000

  4. Click "Create"

Step 4: Configure Mosaic Stack

Update your .env file:

# Authentik OIDC Configuration
OIDC_ISSUER=http://localhost:9000/application/o/mosaic-stack/
OIDC_CLIENT_ID=<your-client-id-from-step-2>
OIDC_CLIENT_SECRET=<your-client-secret-from-step-2>
OIDC_REDIRECT_URI=http://localhost:3001/auth/callback

Important Notes:

  • OIDC_ISSUER must end with a trailing slash /
  • Replace <your-client-id> and <your-client-secret> with actual values from Step 2
  • OIDC_REDIRECT_URI must exactly match what you configured in Authentik

Production Configuration

For production deployments:

OIDC_ISSUER=https://auth.example.com/application/o/mosaic-stack/
OIDC_CLIENT_ID=prod-client-id
OIDC_CLIENT_SECRET=prod-client-secret
OIDC_REDIRECT_URI=https://mosaic.example.com/auth/callback

Update Authentik redirect URIs to match your production URL.

Step 5: Restart Mosaic Stack

# Local development
pnpm dev:api

# Docker
docker compose restart api

Step 6: Test Authentication

Method 1: Web UI (when implemented)

  1. Navigate to http://localhost:3000
  2. Click "Sign In"
  3. You'll be redirected to Authentik
  4. Log in with your Authentik credentials
  5. Authorize the application
  6. You'll be redirected back to Mosaic Stack

Method 2: API Endpoint

# Initiate OIDC flow
curl http://localhost:3001/auth/callback/authentik

# This will return a redirect URL to Authentik

Method 3: Direct Email/Password (Development)

# Create user via API (development only)
curl -X POST http://localhost:3001/auth/sign-up \
  -H "Content-Type: application/json" \
  -d '{
    "email": "test@example.com",
    "password": "SecurePass123!",
    "name": "Test User"
  }'

# Sign in
curl -X POST http://localhost:3001/auth/sign-in \
  -H "Content-Type: application/json" \
  -d '{
    "email": "test@example.com",
    "password": "SecurePass123!"
  }'

# Response includes session token
{
  "user": {
    "id": "...",
    "email": "test@example.com",
    "name": "Test User"
  },
  "session": {
    "token": "eyJhbGc...",
    "expiresAt": "..."
  }
}

Advanced Configuration

Custom Scopes

To request additional user information:

  1. In Authentik, navigate to CustomizationProperty Mappings
  2. Create custom Scope Mapping
  3. Add scope to provider configuration
  4. Update Mosaic Stack to request the scope

Multi-Factor Authentication (MFA)

Enable MFA in Authentik:

  1. Navigate to Flows & StagesFlows
  2. Edit default-authentication-flow
  3. Add Multi-Factor Authentication stage
  4. Configure MFA methods (TOTP, WebAuthn, etc.)

Users will be prompted for MFA during login.

Custom Login Page

Customize Authentik's login page:

  1. Navigate to CustomizationBrands
  2. Edit default brand
  3. Customize logo, title, and theme
  4. Save changes

Troubleshooting

Error: "Invalid redirect URI"

Cause: Redirect URI in .env doesn't match Authentik configuration

Fix:

# Ensure exact match (including http vs https)
# In Authentik: http://localhost:3001/auth/callback
# In .env: OIDC_REDIRECT_URI=http://localhost:3001/auth/callback

Error: "Invalid client credentials"

Cause: Incorrect client ID or secret

Fix:

  1. Double-check Client ID and Secret in Authentik provider
  2. Copy values exactly (no extra spaces)
  3. Update .env with correct values
  4. Restart API

Error: "OIDC discovery failed"

Cause: OIDC_ISSUER incorrect or Authentik not accessible

Fix:

# Ensure OIDC_ISSUER ends with /
# Test discovery endpoint
curl http://localhost:9000/application/o/mosaic-stack/.well-known/openid-configuration

# Should return JSON with OIDC configuration

Users Can't Access Application

Cause: User doesn't have permission in Authentik

Fix:

  1. In Authentik, go to DirectoryUsers
  2. Select user
  3. Click Assigned to applications
  4. Add "Mosaic Stack" application

Or enable Superuser privileges for the user (development only).

Session Expires Too Quickly

Cause: JWT expiration set too low

Fix:

# In .env, increase expiration
JWT_EXPIRATION=7d  # 7 days instead of 24h

# Restart API

Security Considerations

Production Checklist

  • Use HTTPS for all URLs
  • Configure CORS properly
  • Use strong client secret (rotate regularly)
  • Enable MFA for admin accounts
  • Review Authentik audit logs regularly
  • Limit redirect URIs to exact matches
  • Use environment-specific client credentials
  • Enable rate limiting on auth endpoints

Recommended Authentik Settings

# In Authentik provider configuration:
- Access token validity: 30 minutes
- Refresh token validity: 30 days
- Include claims in ID token: Enabled
- Subject mode: Based on User's UUID
- Signing algorithm: RS256

User Management

Create User in Authentik

  1. Navigate to DirectoryUsers
  2. Click "Create"
  3. Fill in user details:
    • Username
    • Email (required for OIDC)
    • Name
  4. Click "Create"
  5. User can now log in to Mosaic Stack

Assign Users to Application

  1. Go to ApplicationsApplications
  2. Select "Mosaic Stack"
  3. Click Policy / Group / User Bindings
  4. Click "Bind existing policy"
  5. Select users or groups
  6. Click "Create"

Next Steps

Reference in New Issue View Git Blame Copy Permalink