I really enjoy using Windmill (as described over here), but it took me a bit to understand how to configure SSO based on their documentation. I was wondering how to add generic providers (which aren't supported out of the box, such as authentik). Here's what I did in my docker compose setup.
Create a new OAuth2 provider and application
This step is done in authentik and not specific to Windmill. The process is similar to other services implementing SSO via OAuth2, and is documented here for example. The redirect URL used by Windmill will be https://my.windmill.domain/user/login_callback/authentik (replacing my.windmill.domain with the actual domain name used by Windmill, of course).
Create an oauth.json file
Now inside the docker compose directory for Windmill, create an oauth.json file with the following content (replacing my.authentik.domain with the actual domain name used by authentik):
{
"authentik": {
"id": "oauth_id",
"secret": "oauth_secret",
"login_config": {
"auth_url": "https://my.authentik.domain/application/o/authorize/",
"token_url": "https://my.authentik.domain/application/o/token/",
"userinfo_url": "https://my.authentik.domain/application/o/userinfo/",
"scopes": [
"openid",
"profile",
"email"
]
}
}
}
Updated the docker-compose.yml file
Now in the last step, the docker-compose.yml file used by Windmill needs to be update to make the previously created oauth.json file available to Windmill. To do so, add a new entry to the volumes section. The complete file should look something like this:
services:
db:
image: postgres:14
restart: unless-stopped
volumes:
- ./db_data:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=myDatabasePassword
- POSTGRES_USER=myDatabaseUser
- POSTGRES_DB=myDatabaseName
healthcheck:
test: ['CMD-SHELL', 'pg_isready -U windmill']
interval: 10s
timeout: 30s
retries: 5
windmill:
image: ghcr.io/windmill-labs/windmill:main
restart: unless-stopped
ports:
- 8000:8000
environment:
- DATABASE_URL=postgres://myDatabaseUser:myDatabasePassword@db/myDatabaseName?sslmode=disable
- BASE_URL=https://my.windmill.domain
- RUST_LOG=info
- NUM_WORKERS=3
volumes:
- ./oauth.json:/usr/src/app/oauth.json
depends_on:
db:
condition: service_healthy
Restart Windmill
Now in order for the changes to apply, re-create the Windmill docker containers using docker compose up --detach --force-recreate
Login
Wait for Windmill to restart. Afterwards authentik should appear as a new login method:
