ghndrx/authentik-terraform
1
0
Fork 0
mirror of https://github.com/ghndrx/authentik-terraform.git synced 2026-02-10 06:44:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5d2535067e9fb382b941274c4a597b9bdfd6bc1b
authentik-terraform/source-google.tf
Greg Hendrickson 5d2535067e feat: Add custom MFA authentication flow with configurable enforcement 
- Add authentication-flow.tf with complete MFA auth flow:
  - Identification -> Password -> MFA validation -> Session stages
  - Brute-force reputation policy binding
  - Evaluates policies on plan for user context

- Add configuration variables:
  - enable_mfa_flow: Toggle custom MFA flow (default: false)
  - mfa_enforcement: skip/configure/deny (default: configure)

- Fix existing issues:
  - rbac-groups.tf: parent -> parents (list)
  - source-google.tf: Use variables instead of deprecated sops
  - Google source now conditional (created only if credentials provided)

- Update README:
  - Document MFA enforcement levels
  - Add authentication-flow.tf to file structure
  - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup

Security: Custom flow includes brute-force protection policy bound
at flow level, not just stage level.
2026-02-09 16:03:32 +00:00

34 lines
1.1 KiB
HCL
Raw Blame History

# =============================================================================
# Google Workspace Federation
# Allow users to sign in with their Google Workspace accounts
# =============================================================================
# Google OAuth Source - Only created if credentials are provided
resource "authentik_source_oauth" "google" {
count = var.google_client_id != "" ? 1 : 0
name = "Google Workspace"
slug = "google"
authentication_flow = data.authentik_flow.default_authentication.id
enrollment_flow = data.authentik_flow.default_enrollment.id
provider_type = "google"
consumer_key = var.google_client_id
consumer_secret = var.google_client_secret
# PKCE method - S256 is recommended
pkce = "S256"
# User matching - link by email
user_matching_mode = "email_link"
# Policy engine
policy_engine_mode = "any"
# Enable for login page
enabled = true
}
# Note: After applying, the Google login button will appear on the Authentik login page.
# Users with matching emails will be linked; new users will be enrolled.
Reference in New Issue View Git Blame Copy Permalink