Authentik OIDC Configuration Guide
March 27, 2026 · View on GitHub
Note
This guide is confirmed to be working as of November 10, 2025.
This guide provides step-by-step instructions for configuring Authentik as the OIDC identity provider for the ATT&CK Workbench REST API.
Prerequisites
- Authentik server installed and accessible
- Administrator access to Authentik
- ATT&CK Workbench REST API installed
Overview
This guide focuses on configuring Authentik as your OIDC provider. After completing Authentik setup:
- Proceed to REST API Configuration to configure the Workbench REST API
- Then follow Testing & Verification to confirm everything works
This guide covers only the Authentik-specific configuration steps.
Step 1: Create OAuth2/OpenID Provider
-
Log into Authentik as an administrator
-
Navigate to Providers:
- Go to Applications → Providers
- Click Create
-
Select Provider Type:
- Choose OAuth2/OpenID Provider
-
Configure the Provider:
-
Name:
ATT&CK Workbench(or your preferred name) -
Authentication flow:
default-authentication-flow(or your custom flow) -
Authorization flow:
default-provider-authorization-explicit-consent(recommended) ordefault-provider-authorization-implicit-consent -
Client type:
Confidential(required) -
Client ID: Auto-generated (you'll need this later)
-
Client Secret: Auto-generated (you'll need this later)
-
Redirect URIs/Origins (RegEx): Add your callback URL(s):
-
For single environment:
https://workbench.example.com/api/authn/oidc/callback -
For multiple environments, add each on a separate line:
http://localhost:3000/api/authn/oidc/callback https://workbench.example.com/api/authn/oidc/callback
-
-
Signing Key:
authentik Self-signed Certificate(or your custom key)
-
-
Advanced Settings (expand if needed):
- Scopes: Ensure these are included (usually default):
openidemailprofile
- Subject mode:
Based on the User's hashed ID(default is fine) - Include claims in id_token:
true(recommended)
- Scopes: Ensure these are included (usually default):
-
Save the provider
-
Note the credentials (you'll need these for REST API configuration):
- Go back to the provider you just created
- Copy the Client ID
- Copy the Client Secret (click "Copy" button)
Step 2: Create Application
-
Navigate to Applications:
- Go to Applications → Applications
- Click Create
-
Configure the Application:
- Name:
ATT&CK Workbench - Slug:
attack-workbench(or your preference) - Provider: Select the provider you created in Step 1
- Policy engine mode:
any(or configure based on your needs) - UI settings (optional): Add icon, description, launch URL
- Name:
-
Save the application
Step 3: Note the Issuer URL
The issuer URL format for Authentik is:
https://<your-authentik-domain>/application/o/<application-slug>/
For example:
- If your Authentik is at:
https://authentik.example.com - And your application slug is:
attack-workbench - Then your issuer URL is:
https://authentik.example.com/application/o/attack-workbench/
Note the trailing slash - it's required!
Save this issuer URL - you'll need it for REST API configuration.
Next Steps
You've completed the Authentik configuration. Now proceed with:
-
Configure the REST API - Set up the Workbench REST API to use Authentik
You'll need these values from the steps above:
- Issuer URL:
https://<your-authentik-domain>/application/o/<application-slug>/(from Step 3) - Client ID: From Step 1
- Client Secret: From Step 1
- Issuer URL:
-
Test & Verify - Confirm authentication is working correctly
Troubleshooting
Authentik Issuer URL Format
Issue: Discovery fails with Authentik.
Solution: Verify the issuer URL format is correct:
https://<your-authentik-domain>/application/o/<application-slug>/
Important notes:
- The trailing slash is required
- The application slug must match exactly (case-sensitive)
- Verify by accessing:
https://<issuer-url>/.well-known/openid-configuration
Authentik Scope Configuration
Issue: Missing user information after authentication.
Solution: In Authentik provider settings, ensure:
- Scopes include:
openid,email,profile - "Include claims in id_token" is enabled in Advanced Settings
- Users have email addresses configured in Authentik
Advanced Configuration
Custom User Attributes
Authentik supports custom user attributes. To use them with Workbench:
- Create a custom property mapping in Authentik
- Add it to your provider's scope mappings
- The claims will be available in the OIDC token
MFA / 2FA
Authentik supports Multi-Factor Authentication:
- Configure MFA in Authentik authentication flow
- No changes needed in Workbench REST API
- Users will be prompted for MFA during Authentik login
Single Logout
Currently, logging out of Workbench only logs the user out of the REST API session, not from Authentik. Users remain logged into Authentik and can re-authenticate without entering credentials.
To implement full logout, you would need to:
- Redirect to Authentik's end session endpoint after logout
- This requires custom frontend modifications