TekOnline

Setting Username to Email on Enrollment in Authentik

Introduction

Authentik is a powerful identity provider that offers flexible authentication flows for various applications. One common requirement when integrating with external identity providers like Google is to automatically set a user’s username to their email address during enrollment. This approach simplifies the user experience and prevents redirection issues that can occur when users are prompted to manually enter a username.

This article will guide you through the process of configuring Authentik to automatically set a user’s username to their email address during the enrollment process, particularly when using social providers like Google.

Why Set Username to Email?

There are several benefits to automatically setting the username to the user’s email address:

  1. Simplified User Experience: Users don’t need to create and remember a separate username.
  2. Reduced Friction: Eliminates an extra step in the enrollment process.
  3. Prevents Redirection Issues: Maintains the redirect context throughout the authentication flow.
  4. Ensures Uniqueness: Email addresses are already unique, making them ideal username candidates.

Prerequisites

Before implementing this solution, ensure you have:

  • Administrative access to your Authentik instance
  • A configured OAuth2/OIDC provider (like Google)
  • A basic understanding of Authentik flows and policies

Implementation Steps

Step 1: Create an Expression Policy

First, we’ll create an Expression Policy that will set the username to the email address:

  1. Navigate to Customisation → Policies
  2. Click Create
  3. Select Expression Policy
  4. Configure the policy with the following settings:
    • Name: Set Username to Email
    • Expression:
      request.context["prompt_data"]["username"] = request.context["prompt_data"]["email"]
      return True
  5. Click Create

This policy takes the email address from the prompt_data context and assigns it to the username field in the same context.

Step 2: Bind the Policy to the Enrollment Flow

Next, we’ll bind this policy to the enrollment flow’s prompt stage:

  1. Navigate to Flows & Stages → Flows
  2. Find and click on your enrollment flow (typically default-source-enrollment)
  3. Click on the Stage Bindings tab
  4. Locate the prompt stage (typically default-source-enrollment-prompt)
  5. Click the expand arrow (>) next to the prompt stage
  6. Click Bind existing Policy / Group / User
  7. Select the Policy tab
  8. Choose the “Set Username to Email” policy you created earlier
  9. Configure the binding:
    • Enabled: Yes
    • Order: -1 (to ensure it runs before other policies)
    • Timeout: 30 (default is fine)
    • Failure result: Don’t pass
  10. Click Create

Step 3: Configure the Prompt Stage (Optional)

You may want to configure the prompt stage to ensure a smooth user experience:

  1. From the Stage Bindings screen, click Edit Stage for the prompt stage
  2. Ensure the username field is configured correctly
  3. Consider disabling validation for the username field if you want to allow any email format

Step 4: Test the Flow

To verify your configuration:

  1. Open an incognito/private browser window
  2. Navigate to your application’s login page
  3. Select the social login option (e.g., Google)
  4. Complete the authentication with the external provider
  5. When redirected to the enrollment form, verify that the username field is automatically filled with the email address
  6. Complete the enrollment process
  7. Verify that you’re correctly redirected back to your application

Troubleshooting

If you encounter issues with this implementation, consider the following troubleshooting steps:

Username Not Being Set

  • Verify that the expression policy is correctly bound to the prompt stage
  • Check that the policy order ensures it runs before other policies
  • Add debug statements to your expression policy:
    print("Email in prompt_data:", request.context["prompt_data"].get("email"))
    request.context["prompt_data"]["username"] = request.context["prompt_data"]["email"]
    print("Username set to:", request.context["prompt_data"].get("username"))
    return True

Redirection Issues

If you’re still experiencing redirection issues after enrollment:

  1. Create a debug policy to track the redirect URL:
    print("Redirect URL:", context.get("redirect"))
    return True
  2. Bind this policy to various stages in your flow to see where the redirect URL might be getting lost
  3. Check your OAuth2 provider configuration to ensure redirect URIs are correctly set

Flow Denial Errors

If you see “Request has been denied” or “Flow does not apply to current user” errors:

  1. Check application permissions to ensure the user has access
  2. Verify that all policy bindings in the flow are correctly configured
  3. Look for any template variables in the flow that might not be properly populated

Advanced Configuration

Customizing the Username Format

You might want to use only part of the email as the username. Modify your expression policy like this:

# Get email from prompt_data
email = request.context["prompt_data"].get("email", "")

# Use only the part before @ as username
if "@" in email:
    username = email.split("@")[0]
else:
    username = email

request.context["prompt_data"]["username"] = username
return True

Adding Security Enhancements

For enhanced security, consider these additional configurations:

  1. Disable Username and Password Editing:
    • Navigate to User Settings in Authentik
    • Disable the ability for users to change their username and password
  2. Remove Local Password Authentication:
    • If you want users to authenticate exclusively through social providers
    • Remove the password change option from user settings
  3. Add Multi-Factor Authentication:
    • Configure TOTP or other MFA methods for additional security
    • Add MFA stages to your authentication flows

Note: When using social providers exclusively, consider disabling local password authentication to ensure that if a user’s social account is deactivated, they cannot bypass this by using local credentials.

Conclusion

Automatically setting the username to the user’s email address during enrollment in Authentik streamlines the user experience and prevents common redirection issues. By using expression policies and properly configuring flow bindings, you can create a seamless authentication process that maintains context throughout the entire flow.

This approach is particularly valuable when integrating with social identity providers like Google, as it eliminates manual username entry while preserving the authentication context needed for proper redirection back to your application.

Remember to thoroughly test your configuration with new users and different scenarios to ensure a smooth authentication experience for all users.


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *