Windmill: SSO via authentik

Windmill: SSO via authentik

I really enjoy using Windmill (as described over here), but it took me a bit to understand how to configure SSO based on their documentation. I was wondering how to add generic providers (which aren't supported out of the box, such as authentik). Here's what I did in my docker compose setup.

Create a new OAuth2 provider and application

This step is done in authentik and not specific to Windmill. The process is similar to other services implementing SSO via OAuth2, and is documented here for example. The redirect URL used by Windmill will be https://my.windmill.domain/user/login_callback/authentik (replacing my.windmill.domain with the actual domain name used by Windmill, of course).

Create an oauth.json file

Now inside the docker compose directory for Windmill, create an oauth.json file with the following content (replacing my.authentik.domain with the actual domain name used by authentik):

{
    "authentik": {
        "id": "oauth_id",
        "secret": "oauth_secret",
        "login_config": {
            "auth_url": "https://my.authentik.domain/application/o/authorize/",
            "token_url": "https://my.authentik.domain/application/o/token/",
            "userinfo_url": "https://my.authentik.domain/application/o/userinfo/",
            "scopes": [
                "openid",
                "profile",
                "email"
            ]
        }
    }
}

Updated the docker-compose.yml file

Now in the last step, the docker-compose.yml file used by Windmill needs to be update to make the previously created oauth.json file available to Windmill. To do so, add a new entry to the volumes section. The complete file should look something like this:

services:
  db:
    image: postgres:14
    restart: unless-stopped
    volumes:
      - ./db_data:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=myDatabasePassword
      - POSTGRES_USER=myDatabaseUser
      - POSTGRES_DB=myDatabaseName
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U windmill']
      interval: 10s
      timeout: 30s
      retries: 5
  windmill:
    image: ghcr.io/windmill-labs/windmill:main
    restart: unless-stopped
    ports:
      - 8000:8000
    environment:
      - DATABASE_URL=postgres://myDatabaseUser:myDatabasePassword@db/myDatabaseName?sslmode=disable
      - BASE_URL=https://my.windmill.domain
      - RUST_LOG=info
      - NUM_WORKERS=3
    volumes:
      - ./oauth.json:/usr/src/app/oauth.json
    depends_on:
      db:
        condition: service_healthy

Restart Windmill

Now in order for the changes to apply, re-create the Windmill docker containers using docker compose up --detach --force-recreate

Login

Wait for Windmill to restart. Afterwards authentik should appear as a new login method:

The Windmill login screen showing authentik as an option