Authentik
Overview
Follow these steps to configure an OAuth Client via Authentik.
Prerequisites
- You must be an admin on Authentik.
Step 1: Create an Application
- Navigate to Applications in Authentik.
- Create a new Application.
- Each Applicationwill create a correspondingProvider.
- Choose OAuth2as theProvidertype.
Authorization Flow
- Select: nrp-authorization-with-aup-consent.
- Make the client confidential.
- Retrieve the Client IDandClient Secret(needed for integration).
Step 2: Configure JupyterHub (Example)
Below is a sample JupyterHub configuration using Authentik as the OAuth provider:
  hub:    config:      OAuthenticator:        login_service: "Authentik" # This is what shows on JH UI        oauth_callback_url: "https://XYZ.nrp-nautilus.io/hub/oauth_callback" # This is inputted by user        authorize_url: "https://authentik.nrp-nautilus.io/application/o/authorize/" # This is provided by Authentik        token_url: "https://authentik.nrp-nautilus.io/application/o/token/"  # This is provided by Authentik        userdata_url: "https://authentik.nrp-nautilus.io/application/o/userinfo/"  # This is provided by Authentik        client_id: "XYZ"  # This is provided by Authentik        client_secret: "XYZ"  # This is provided by Authentik        username_claim: "email"        allow_all: true      JupyterHub:        admin_access: true        authenticator_class: oauthenticator.generic.GenericOAuthenticatorStep 3: Configure Bindings (Filters & Policies)
- In Configure Bindings, define filtering rules (blacklists,whitelists,user scopes).
- Authentik uses Expression Policies (Python-based) to control access.
More details on Expression Policies: Authentik Docs
For now, finish creating the Application without attaching a policy. Next, you’ll create the policy and bind it.
Step 4: Create an Expression Policy (Optional)
- Navigate to Customization → Policies → Create → Expression Policy.
- In the Expression field, enter your filtering logic.
Step 5: Bind the Policy to Your Application (Optional)
- Go back to your Application.
- Open Policy / Group / User Bindings.
- Bind the Expression Policy you just created.
- In the Application Overview, use the Test button to verify user access.

This work was supported in part by National Science Foundation (NSF) awards CNS-1730158, ACI-1540112, ACI-1541349, OAC-1826967, OAC-2112167, CNS-2100237, CNS-2120019.