Skip to content
NRP Nautilus

Configuring OAuth Authentik Clients

Overview

Follow these steps to configure an OAuth Client via Authentik.

Prerequisites

  1. You must be an admin on Authentik.

Step 1: Create an Application

  • Navigate to Applications in Authentik.
  • Create a new Application.
  • Each Application will create a corresponding Provider.
  • Choose OAuth2 as the Provider type.

Authorization Flow

  • Select: nrp-authorization-with-aup-consent.
  • Make the client confidential.
  • Retrieve the Client ID and Client Secret (needed for integration).

Step 2: Configure JupyterHub (Example)

Below is a sample JupyterHub configuration using Authentik as the OAuth provider:

  hub:
    config:
      OAuthenticator:
        login_service: "Authentik" # This is what shows on JH UI
        oauth_callback_url: "https://XYZ.nrp-nautilus.io/hub/oauth_callback" # This is inputted by user
        authorize_url: "https://authentik.nrp-nautilus.io/application/o/authorize/" # This is provided by Authentik
        token_url: "https://authentik.nrp-nautilus.io/application/o/token/"  # This is provided by Authentik
        userdata_url: "https://authentik.nrp-nautilus.io/application/o/userinfo/"  # This is provided by Authentik
        client_id: "XYZ"  # This is provided by Authentik
        client_secret: "XYZ"  # This is provided by Authentik
        username_claim: "email"
        allow_all: true
      JupyterHub:
        admin_access: true
        authenticator_class: oauthenticator.generic.GenericOAuthenticator

Step 3: Configure Bindings (Filters & Policies)

  • In Configure Bindings, define filtering rules (blacklists, whitelists, user scopes).
  • Authentik uses Expression Policies (Python-based) to control access.

More details on Expression Policies: Authentik Docs

For now, finish creating the Application without attaching a policy. Next, you’ll create the policy and bind it.

Step 4: Create an Expression Policy (Optional)

  • Navigate to Customization → Policies → Create → Expression Policy.
  • In the Expression field, enter your filtering logic.

Step 5: Bind the Policy to Your Application (Optional)

  • Go back to your Application.
  • Open Policy / Group / User Bindings.
  • Bind the Expression Policy you just created.
  • In the Application Overview, use the Test button to verify user access.
NSF Logo
This work was supported in part by National Science Foundation (NSF) awards CNS-1730158, ACI-1540112, ACI-1541349, OAC-1826967, OAC-2112167, CNS-2100237, CNS-2120019.