From ba13b021d11e41325f639681cab6ab6db22d870b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Skyler=20M=C3=A4ntysaari?= <samip5@users.noreply.github.com>
Date: Thu, 21 Oct 2021 18:17:31 +0300
Subject: [PATCH] docs/openid: Add Authentik documentation.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Skyler Mäntysaari <sm+git@samip.fi>
---
 changelog.d/11151.doc |  1 +
 docs/openid.md        | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 changelog.d/11151.doc

diff --git a/changelog.d/11151.doc b/changelog.d/11151.doc
new file mode 100644
index 000000000000..106711ac9e4b
--- /dev/null
+++ b/changelog.d/11151.doc
@@ -0,0 +1 @@
+Add Authentik documentation
\ No newline at end of file
diff --git a/docs/openid.md b/docs/openid.md
index 49180eec5293..af0c4ce07815 100644
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -21,6 +21,7 @@ such as [Github][github-idp].
 
 [google-idp]: https://developers.google.com/identity/protocols/oauth2/openid-connect
 [auth0]: https://auth0.com/
+[authentik]: https://goauthentik.io/
 [okta]: https://www.okta.com/
 [dex-idp]: https://github.com/dexidp/dex
 [keycloak-idp]: https://www.keycloak.org/docs/latest/server_admin/#sso-protocols
@@ -209,6 +210,39 @@ oidc_providers:
         display_name_template: "{{ user.name }}"
 ```
 
+### Authentik
+
+[Authentik][Authentik] is an open-source IdP solution.
+
+1. Create a provider in Authentik, with type OAuth2/OpenID.
+2. The parameters are:
+- Client Type: Confidential
+- JWT Algorithm: RS256
+- Scopes: OpenID, Email and Profile
+- RSA Key: Select any available key
+- Redirect URIs: `[synapse public baseurl]/_synapse/client/oidc/callback`
+3. Create an application for synapse in Authentik and link it to the provider.
+4. Note the slug of your application, Client ID and Client Secret.
+
+Synapse config:
+```yaml
+oidc_providers:
+  - idp_id: authentik
+    idp_name: authentik
+    discover: true
+    issuer: "https://authentik.company/application/o/app-slug/"
+    client_id: "*client id*"
+    client_secret: "*client secret*"
+    scopes:
+      - "openid"
+      - "profile"
+      - "email"
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ '{{ user.name }}' }}"
+        display_name_template: "{{ '{{ user.name|capitalize }}' }}"
+```
+
 ### GitHub
 
 [GitHub][github-idp] is a bit special as it is not an OpenID Connect compliant provider, but