Default application binding

[DrMurx]

The documentation reads:

By default, all users can access applications when no policies are bound.

This feels against all security best practices, as default settings should be as limited as possible.

I'd like to propose a "Default Binding" for applications which is always in place for all applications with no custom bindings. This default binding should be set to "Deny all users" policy initially. The administrator might customize it to their taste.

For backwards compatibility, the default binding may be set to an "Allow all users" policy for existing Authentik setups so it doesn't break logins when the administrator upgrades from an Authentik version which doesn't have this feature.

[yacob841]

Yeah, I was surprised at this. I finally added a second user and had to go through all apps assigning them policies to fix it. It’s disappointing this has been unaddressed for so long. Security tip, always default closed…

[BeryJu]

Initially we'll add this as a system setting which, when enabled, will make applications inaccessible without any policies/etc attached

[Simon-CR]

I have the same issue where I need to revisit each of my applications in order to create binding that I should be able to have as my "default"

[pingiun]

For the people who follow this issue, how I've solved it is I set a policy on my authorization flow that looks like this:

from authentik.policies.models import PolicyBinding

return PolicyBinding.objects.filter(target__pk=context['application'].pk, enabled=True).first() is not None

If you set this on all your authorization flows (I only have explicit and implicit), authorization will only proceed if any (enabled) policy has been added to the application. You can of course check the applied policy bindings for other things, but for me I just wanted to check for any policy.

[micky-devs]

For the people who follow this issue, how I've solved it is I set a policy on my authorization flow that looks like this:

from authentik.policies.models import PolicyBinding

return PolicyBinding.objects.filter(target__pk=context['application'].pk, enabled=True).first() is not None
If you set this on all your authorization flows (I only have explicit and implicit), authorization will only proceed if any (enabled) policy has been added to the application. You can of course check the applied policy bindings for other things, but for me I just wanted to check for any policy.

Despite what I initially thought I don't think this is a viable solution as in my testing when I add a custom policy expression like this onto the implicit and explicit default flows it only blocks apps with no bindings if it is the first app that the user tries to access. If however they use an application which does have at least one binding already in the first instance then they will be able to access the other applications with no bindings, this is because the auth flow and thus the policy is not re-run for each application, they have already been granted access to all the applications on that page and the policy will only re-evaluate when they re-auth. @pingiun this is defo something to be aware of, for now I'm going to implement a policy very much like this that blocks based on the number of bindings but done on the application level not the flow level, it does mean that I have to make sure to add this default policy to all apps though.

This is the code I'm using for that default app policy just in case it's useful to anyone

from authentik.policies.models import PolicyBinding
from authentik.core.models import Application

try:
    app = Application.objects.get(name=request.obj)
    app_policy_bindings = PolicyBinding.objects.filter(
        target__pk=app.pk, 
        enabled=True
    )
    app_policy_binding_count = app_policy_bindings.count()
    ak_message(f"Application: {app.name} has {app_policy_binding_count} bindings")

    return app_policy_binding_count > 1

except Exception as e:
  ak_message(f"failed to assess application policy bindings with exception {e}")
  return False

From the looks of it this is an issue being actively worked on and there should be a better solution coming soon.

[eazylaykzy]

For the people who follow this issue, how I've solved it is I set a policy on my authorization flow that looks like this:
from authentik.policies.models import PolicyBinding
return PolicyBinding.objects.filter(target__pk=context['application'].pk, enabled=True).first() is not None
If you set this on all your authorization flows (I only have explicit and implicit), authorization will only proceed if any (enabled) policy has been added to the application. You can of course check the applied policy bindings for other things, but for me I just wanted to check for any policy.

Despite what I initially thought I don't think this is a viable solution as in my testing when I add a custom policy expression like this onto the implicit and explicit default flows it only blocks apps with no bindings if it is the first app that the user tries to access. If however they use an application which does have at least one binding already in the first instance then they will be able to access the other applications with no bindings, this is because the auth flow and thus the policy is not re-run for each application, they have already been granted access to all the applications on that page and the policy will only re-evaluate when they re-auth. @pingiun this is defo something to be aware of, for now I'm going to implement a policy very much like this that blocks based on the number of bindings but done on the application level not the flow level, it does mean that I have to make sure to add this default policy to all apps though.

This is the code I'm using for that default app policy just in case it's useful to anyone

from authentik.policies.models import PolicyBinding
from authentik.core.models import Application

try:
app = Application.objects.get(name=request.obj)
app_policy_bindings = PolicyBinding.objects.filter(
target__pk=app.pk,
enabled=True
)
app_policy_binding_count = app_policy_bindings.count()
ak_message(f"Application: {app.name} has {app_policy_binding_count} bindings")

return app_policy_binding_count > 1

except Exception as e:
ak_message(f"failed to assess application policy bindings with exception {e}")
return False
From the looks of it this is an issue being actively worked on and there should be a better solution coming soon.

@MichaelReubenDev You did a good job, but that wasn't fine-grain enough for my use-case, if the policy is > 1, any user gets access to any application, I only want user to be able to access the application based on their Group, and any user with the authentik Admins gets automatic access.

Below is my policy snippet;

from authentik.policies.models import PolicyBinding
from authentik.core.models import Application

try:
  app = Application.objects.get(name=request.obj)
  app_policy_bindings = PolicyBinding.objects.filter(target__pk=app.pk, enabled=True).order_by("order")
  user_groups = [group.name for group in request.user.ak_groups.all()]

  # if user belongs to the "authentik Admins" group, they should have all privilege
  if ak_is_group_member(request.user, name="authentik Admins"):
    return True

  for binding in app_policy_bindings:
    if binding.group is not None:
      if binding.group.name in user_groups:
        #ak_message(f"binding: {binding.group.name}")
        return True

  ak_message(f"You have no sufficient permission to \"{app.name}\" Application")
  return False

except Exception as e:
  ak_message(f"failed to assess application policy bindings with exception {e}")
  return False

[pingiun]

@micky-devs just looking at this again now. Was your comment about the authorization or the authentication flow? I added the policy in my comment to the authorization flow, I think that should work because it's for authorizing an app right?

[Cheekie25]

For the people who follow this issue, how I've solved it is I set a policy on my authorization flow that looks like this:

from authentik.policies.models import PolicyBinding



return PolicyBinding.objects.filter(target__pk=context['application'].pk, enabled=True).first() is not None

If you set this on all your authorization flows (I only have explicit and implicit), authorization will only proceed if any (enabled) policy has been added to the application. You can of course check the applied policy bindings for other things, but for me I just wanted to check for any policy.

What about applications that are not yet registered in Authentik and that are only protected by a Forward Auth Domain Level ?
Any way to block their access thanks to the policy if no Authentik Application or dedicated Provider is associated to this url ?

[BeryJu]

@Cheekie25 if they are behind forward auth domain level, then they count as the configured forward auth app in authentik

[Cheekie25]

@Cheekie25 if they are behind forward auth domain level, then they count as the configured forward auth app in authentik

Yes indeed, but the forward auth app is usually configured to give access to any User thanks to a group policy.
Then, I don't find any way to specify an additional policy in the foward auth app to block Users access to applications that don't have a dedicated provider in addition to the Foward Auth Domain Level one, which would be great !