Guide: Setting up SFTPGo admin logins to work with Authentik

[deviantintegral]

It took me a bit to get this sorted, so I figured I'd share how!

First, navigate to Directory -> Groups and create a group called SFTPGo Admins. Add your desired users to the group from the Users tab in the group.

Now, under Customisation -> Property Mappings, create a new "Scope Mapping".

Set the Name to sftpgo, the Scope name to sftpgo, and the expression to the following:

return {
  'sftpgo_role': 'admin' if ak_is_group_member(request.user, name="SFTPGo Admins") else 'user'
}

Now, under Applications -> Providers, create a new OAuth2 provider for sftpgo. Set it up like normal as the OIDC docs say. However, under Advanced protocol settings, add sftpgo to the Scopes:

Finally, in your sftpgo configuration, set the Open ID scopes to include the new scope and the role field. Here's mine from docker-compose.yml. I’ve added sftp to the default scopes listed at https://docs.goauthentik.io/docs/add-secure-apps/providers/oauth2/#default.

      - SFTPGO_HTTPD__BINDINGS__0__OIDC__SCOPES=openid,profile,email,entitlements,offline_access,sftpgo
      - SFTPGO_HTTPD__BINDINGS__0__OIDC__ROLE_FIELD=sftpgo_role

After restarting sftpgo (remember to do down / up if you're using docker compose!), you should be able to log in to the WebAdmin UI.

The only thing I don't have working is for the same user to be able to log in as a regular user. When I try, I get:

Wrong OpenID role, the logged in user is an SFTPGo admin

That error makes me think this is an intentional design decision, and in my case doesn't matter as I need to create separate users anyways.

[phoenix-limited]

I had this working, then I had to rebuild my server core, and, with what I think is identical to before and folling what you have here, I get this ("Failed to get user associated with OpenID token") as an error, and am told that the account is an admin on the webclient login. I do know that SFTPGo doesn't support dynamic creation/updating of specifically admin users, so I did premake the admin with the same username that is given when oidc creates a client user. Did you have any related trouble?

[mablerf]

This has been driving me crazy for entirely too long. Thank you!

Am I right in my understanding that a user can use WebClient or WebAdmin, but not both? If the user is in the admin group they can't log in to the WebClient?

[deviantintegral]

That's it exactly.

[deembi4]

Please, could you provide complete manual for setting up authentik with sftpgo?
For example my docker-compose file contains envs:
SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_ID=MYCLIENTID
SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_SECRET=MYCLIENT
SFTPGO_HTTPD__BINDINGS__0__OIDC__CONFIG_URL=https://authentik.domain/application/o/sftpgo/.well-known/openid-configuration
SFTPGO_HTTPD__BINDINGS__0__OIDC__REDIRECT_BASE_URL=http://sftpgo.domain/web/oidc/redirect
SFTPGO_HTTPD__BINDINGS__0__OIDC__USERNAME_FIELD=preferred_username
SFTPGO_HTTPD__BINDINGS__0__OIDC__SCOPES=openid,profile,email,sftpgo
SFTPGO_HTTPD__BINDINGS__0__OIDC__ROLE_FIELD=sftpgo_role

And it doesn't work: could not start HTTP server: oidc: unable to initialize provider for URL "https://authentik.domain/application/o/sftpgo/": 403 Forbidden

[deviantintegral]

Here’s what I have in my environment variables:

environment:
      - SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_ID=REDACTED
      - SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_SECRET=REDACTED
      - SFTPGO_HTTPD__BINDINGS__0__OIDC__CONFIG_URL=https://auth.example.com/application/o/sftpgo/
      - SFTPGO_HTTPD__BINDINGS__0__OIDC__REDIRECT_BASE_URL=https://auth.example.com
      - SFTPGO_HTTPD__BINDINGS__0__OIDC__USERNAME_FIELD=preferred_username
      - SFTPGO_HTTPD__BINDINGS__0__OIDC__SCOPES=openid,profile,email,sftpgo
      - SFTPGO_HTTPD__BINDINGS__0__OIDC__ROLE_FIELD=sftpgo_role

I think you need to remove the .well-known/… part as that is automatically added.

[keriati]

With the above setup, my user sessions expire after 5 minutes. There is no refresh token provided by Authentik by default, so the session is not extended. I can also see this in sftpgo logs.

Is this also happening for you?

My workaround was adding the offline_access scope in both Authentik and sftpgo, however I am not sure if this is a correct solution.

Now at log in my users end up in the explicit flow instead of implicit.

Other applications like Grafana did not need this scope, and the sessions still stay alive for a longer time.

[deviantintegral]

Turns out it is! I just have never needed to be logged in to the admin for more than 5 minutes at a time.

Like you said, I have nothing different configured in other OpenID apps. So, if I were to investigate (and tbh I don't think I will) I'd start with checking to see if the sftpgo side is properly requesting a refresh token or not.

[keriati]

Thanks for checking, so it isn't only me.
By the way the users have for me the same behavior, not just the admin, they also get kicked out after 5 mins.

I also know that Authentik does not issue a refresh token at all unless the offline_access scope is defined and I can also see in the sftpgo logs that it is missing the refresh token.

Now, with that scope defined, my session is getting properly prolonged after 5 minutes.

But for example Grafana keeps the session longer without defining the offline_access scope, and so do other apps I use.

[drakkan]

I also know that Authentik does not issue a refresh token at all unless the offline_access scope is defined and I can also see in the sftpgo logs that it is missing the refresh token.

I haven't personally tested with Authentik, but if it issues tokens that are valid for 5 minutes and doesn't allow for refreshing, SFTPGo works as expected. If other implementations fail to respect the token validity, I think they are not implemented correctly.
Of course it's entirely possible that SFTPGo's implementation is missing something, feel free to dig around and submit a PR if that's the case. Thank you

[keriati]

Well at this point (with my limited understanding of OIDC) I also think that sftpgo behaves correctly and the other apps just don't handle the sessions correctly.

I also suggest to enhance the above tutorial with adding the offline_access scope.

[deviantintegral]

I figured it out! In https://docs.goauthentik.io/docs/add-secure-apps/providers/oauth2/#default it says:

When a client does not request any scopes, authentik will treat the request as if all configured scopes were requested

But, we’re requesting specific scopes above so we can add the sftpgo scope. That means offline_access (which is a default scope listed in Authentik) isn’t applied. That’s why other apps work fine.

I’ll update the first post.

[PeterXQChen]

For anyone else stumbling on this discussion, I was able to find a way to allow the same SSO user to login on WebClient and AdminClient. Rather than passing sftpgo_role as 'admin' or 'user'. I set the environmental variable called "implitcit_roles", this basically sets the role based on the login link used. Reference: https://docs.sftpgo.com/latest/env-vars/