Your cart is currently empty!
Setting Username to Email on Enrollment in Authentik
Introduction
Authentik is a powerful identity provider that offers flexible authentication flows for various applications. One common requirement when integrating with external identity providers like Google is to automatically set a user’s username to their email address during enrollment. This approach simplifies the user experience and prevents redirection issues that can occur when users are prompted to manually enter a username.
This article will guide you through the process of configuring Authentik to automatically set a user’s username to their email address during the enrollment process, particularly when using social providers like Google.
Why Set Username to Email?
There are several benefits to automatically setting the username to the user’s email address:
- Simplified User Experience: Users don’t need to create and remember a separate username.
- Reduced Friction: Eliminates an extra step in the enrollment process.
- Prevents Redirection Issues: Maintains the redirect context throughout the authentication flow.
- Ensures Uniqueness: Email addresses are already unique, making them ideal username candidates.
Prerequisites
Before implementing this solution, ensure you have:
- Administrative access to your Authentik instance
- A configured OAuth2/OIDC provider (like Google)
- A basic understanding of Authentik flows and policies
Implementation Steps
Step 1: Create an Expression Policy
First, we’ll create an Expression Policy that will set the username to the email address:
- Navigate to Customisation → Policies
- Click Create
- Select Expression Policy
- Configure the policy with the following settings:
- Name: Set Username to Email
- Expression:
request.context["prompt_data"]["username"] = request.context["prompt_data"]["email"] return True
- Click Create
This policy takes the email address from the prompt_data
context and assigns it to the username field in the same context.
Step 2: Bind the Policy to the Enrollment Flow
Next, we’ll bind this policy to the enrollment flow’s prompt stage:
- Navigate to Flows & Stages → Flows
- Find and click on your enrollment flow (typically
default-source-enrollment
) - Click on the Stage Bindings tab
- Locate the prompt stage (typically
default-source-enrollment-prompt
) - Click the expand arrow (>) next to the prompt stage
- Click Bind existing Policy / Group / User
- Select the Policy tab
- Choose the “Set Username to Email” policy you created earlier
- Configure the binding:
- Enabled: Yes
- Order: -1 (to ensure it runs before other policies)
- Timeout: 30 (default is fine)
- Failure result: Don’t pass
- Click Create
Step 3: Configure the Prompt Stage (Optional)
You may want to configure the prompt stage to ensure a smooth user experience:
- From the Stage Bindings screen, click Edit Stage for the prompt stage
- Ensure the username field is configured correctly
- Consider disabling validation for the username field if you want to allow any email format
Step 4: Test the Flow
To verify your configuration:
- Open an incognito/private browser window
- Navigate to your application’s login page
- Select the social login option (e.g., Google)
- Complete the authentication with the external provider
- When redirected to the enrollment form, verify that the username field is automatically filled with the email address
- Complete the enrollment process
- Verify that you’re correctly redirected back to your application
Troubleshooting
If you encounter issues with this implementation, consider the following troubleshooting steps:
Username Not Being Set
- Verify that the expression policy is correctly bound to the prompt stage
- Check that the policy order ensures it runs before other policies
- Add debug statements to your expression policy:
print("Email in prompt_data:", request.context["prompt_data"].get("email")) request.context["prompt_data"]["username"] = request.context["prompt_data"]["email"] print("Username set to:", request.context["prompt_data"].get("username")) return True
Redirection Issues
If you’re still experiencing redirection issues after enrollment:
- Create a debug policy to track the redirect URL:
print("Redirect URL:", context.get("redirect")) return True
- Bind this policy to various stages in your flow to see where the redirect URL might be getting lost
- Check your OAuth2 provider configuration to ensure redirect URIs are correctly set
Flow Denial Errors
If you see “Request has been denied” or “Flow does not apply to current user” errors:
- Check application permissions to ensure the user has access
- Verify that all policy bindings in the flow are correctly configured
- Look for any template variables in the flow that might not be properly populated
Advanced Configuration
Customizing the Username Format
You might want to use only part of the email as the username. Modify your expression policy like this:
# Get email from prompt_data email = request.context["prompt_data"].get("email", "") # Use only the part before @ as username if "@" in email: username = email.split("@")[0] else: username = email request.context["prompt_data"]["username"] = username return True
Adding Security Enhancements
For enhanced security, consider these additional configurations:
- Disable Username and Password Editing:
- Navigate to User Settings in Authentik
- Disable the ability for users to change their username and password
- Remove Local Password Authentication:
- If you want users to authenticate exclusively through social providers
- Remove the password change option from user settings
- Add Multi-Factor Authentication:
- Configure TOTP or other MFA methods for additional security
- Add MFA stages to your authentication flows
Note: When using social providers exclusively, consider disabling local password authentication to ensure that if a user’s social account is deactivated, they cannot bypass this by using local credentials.
Conclusion
Automatically setting the username to the user’s email address during enrollment in Authentik streamlines the user experience and prevents common redirection issues. By using expression policies and properly configuring flow bindings, you can create a seamless authentication process that maintains context throughout the entire flow.
This approach is particularly valuable when integrating with social identity providers like Google, as it eliminates manual username entry while preserving the authentication context needed for proper redirection back to your application.
Remember to thoroughly test your configuration with new users and different scenarios to ensure a smooth authentication experience for all users.
by
Tags:
Leave a Reply