Syncs groups between Authentik and Outline. Users will be added/removed from Outline groups depending on what Authentik groups they're in, on each sign in.
This was inspired by this similar connector for Outline and Keycloak! I created this for internal use at WiiLink and to learn FastAPI and Docker.
Outline groups that are named the same as Authentik groups will be linked together. Users who are in an Authentik group but not in a linked Outline group will be added to the Outline group. Conversely, if a user is not in a linked Authentik group, but is in an Outline group, they will be removed from that group.
This connector listens for users.signin webhook events from Outline. Once a user signs into Outline, this connector will check for matching groups, and add/remove the user to those groups accordingly.
- Outline API key
- Authentik API key
- Reverse proxy to apply HTTPS
- Python 3.11.1 or higher (not required if using Docker)
- Docker and Docker Compose (optional)
- Login to your Outline instance. Click your profile in the bottom left, then go to Preferences.
- On the sidebar, click API. At the top right, select New API Key..., and give it a name like
Outline Authentik Connector. - Save the API key somewhere safe to fill in later.
- On the sidebar, click Webhooks. At the top right, select New webhook..., and give it a name like
Outline Authentik Connector. Copy the signing secret and save it somewhere safe to fill in later. - Enter in the URL of a subdomain you plan to host the connector on, and make sure it ends in
/sync. This is important. Then, tick the box for users.signin, and then scroll all the way down and click Create.
- Login to your Authentik instance, and access the Admin interface.
- On the sidebar, go to Users, and then Create Service account. Turn off Create group and Expiring unless you want to rotate the token manually after expiry. Give it a username and create the account.
- Find your newly created service account, go to Permissions, and under Assigned global permissions, search for and assign the permissions
Can view GroupandCan view User. - Go back to Overview and select to Impersonate.
- Go to the settings gear in the top right, then go to Tokens and App passwords. Click the Create Token button.
- Set an identifier for the token, and optionally, a description.
- Click Copy token next to the token you made, and save it somewhere safe to fill in later.
Now, choose whether to setup the connector with Docker or manually.
The connector can be deployed with Docker Compose for quick and easy setup.
- Grab the
docker-compose.ymlfile here, as well as the.env.examplefile here. - Change
.env.exampleto.env, and fill it in with your Authentik and Outline configuration. - Start the connector with
docker compose up -d. By default, the connector will be exposed on port8430. - Use a reverse proxy to proxy the connector to a subdomain with HTTPS.
- Install requirements.
pip3 install -r requirements.txt- Copy the environment configuration, and fill it in with your Authentik and Outline configuration.
cp .env.example .env
nano .env- Start the connector.
fastapi run connect.py --port 8430- Use a reverse proxy to proxy the connector to a subdomain with HTTPS.