viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

authentik: cleanup unused resources + add invitation enrollment flow [ci skip]

Browse source 
Cleanup:
- Deleted 5 unused flows (enrollment-inviation, headscale-auth/authz, default-enrollment, oauth-enrollment)
- Deleted 8 orphaned stages bound only to deleted flows
- Deleted authentik Read-only group and role (0 users)
- Deleted 2 unbound policies (map github username, Map Google Attributes)

Invitation enrollment:
- Created invitation-enrollment flow with 5 stages (invitation validation,
  identification with social login, prompt, user write, auto-login)
- Set all OAuth sources (Google/GitHub/Facebook) enrollment_flow to invitation-enrollment
- New users can only sign up via single-use invitation links
- Added authentik-invite.sh script for invitation management
- Updated reference docs and authentik skill
This commit is contained in:
Viktor Barzin 2026-03-13 20:06:17 +00:00
parent af5f6a659b
commit 160fda882f
3 changed files with 295 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

43
.claude/skills/archived/authentik/SKILL.md
View file

@ -237,6 +237,49 @@ To protect a service via Authentik + Traefik forward auth:
- `X-authentik-name`
- `X-authentik-groups`
## Invitation Management
### Create Invitation
```bash
curl -s -X POST \
-H "Authorization: Bearer $AUTHENTIK_TOKEN" \
-H "Content-Type: application/json" \
"https://authentik.viktorbarzin.me/api/v3/stages/invitation/invitations/" \
-d '{
"name": "invite-slug-name",
"single_use": true,
"fixed_data": {"group": "Target Group Name"},
"flow": "<invitation-enrollment-flow-pk>"
}'
# Returns PK which is the itoken
# Link: https://authentik.viktorbarzin.me/if/flow/invitation-enrollment/?itoken=<pk>
```
### List Invitations
```bash
curl -s -H "Authorization: Bearer $AUTHENTIK_TOKEN" \
"https://authentik.viktorbarzin.me/api/v3/stages/invitation/invitations/?page_size=50"
```
### Delete Invitation
```bash
curl -s -X DELETE -H "Authorization: Bearer $AUTHENTIK_TOKEN" \
"https://authentik.viktorbarzin.me/api/v3/stages/invitation/invitations/<pk>/"
```
### Helper Script
Use `.claude/scripts/authentik-invite.sh` for invitation management:
```bash
./authentik-invite.sh create "Group Name" [--days N]
./authentik-invite.sh assign <username> "Group Name"
./authentik-invite.sh list
```
### Important Notes
- OAuth source `enrollment_flow` is set to `invitation-enrollment` -- new social login users require invitation
- Source updates require Django ORM (PATCH not supported on `sources/oauth/<slug>/`)
- Invitation `name` field must be a slug (letters, numbers, hyphens, underscores)
## Gotchas
1. **API pagination**: All list endpoints return paginated results. Use `?page_size=50` or check `pagination.next` for more pages.