Skip to content

Authentik Webhooks

Email

For email, we don't need to set up a custom webhook.

Click Events -> Notification Rules.

Delete the policy created.

Click Create Policy.

Event Matcher Policy.

Action: Login

Pangolin Integration API

Follow the docs to enable the integration API. Yes, you need to create a different subdomain different from your pangolin web UI domain.

Generate an API key in the Pangolin admin interface.

You can now send api request via postman.

i.e. to create a new Resource rule

PUT https://pangolin-api.thomaswildetech.com/v1/resource/5/rule

Body

{
  "action": "ACCEPT",
  "match": "IP",
  "value": "[IP_address]",
  "priority": 0,
  "enabled": true
}

Authorization: Bearer

You should now see that rule created.

Authentik User and Auto Provisioning

Let's make sure we have our user management set up really quick.

Go ahead and create two user groups in Directory -> Groups. One of them, call your Pangolin organization, the other one, call jellyfin.

Create a User, then click the user, and set a password. Go to the groups and add them to both.

In Pangolin, go to your Identity Providers and go to Authentik.

Select Auto Provision Users.

Now go to Organization Policies.

Click Add Organization Policy.

The role mapping can be hard coded to an existing Role, like 'Member'. Or if you have a role as an Authentik group, you can do the following from the docs.

For the organization mappings, you should set an expression like

contains(groups, 'jellyfin')

or use your organization id, assuming you creating an Authentik group with that. Congrats! Users created in Authentik will now automatically get added to your Pangolin organization.

Authentik Automated IP whitelisting for Jellyfin.

Pangolin Integrate API

Follow the instructions to enable the API. You can use a domain like pangolin-api.domain.com. Restart the docker stack.

You'll want to create scoped api keys. For Authentik, you'll only need a key with the ability to Update Resource Rules. However, you should also generate a key to list resource rules and resources themselve so that you can see the resource IDs and their rule IDs.

Discussing Strategy

Because Authentik only supports POST requests not PUT, and for some reason the Pangolin API does not follow standard HTTP methods - POST is used for updates and PUT is used for inserts, I'll have to take a different strategy than original intended.

I originally intended for every authentication to simply add a new rule whitelisting the IP address. However, what I'll have to do is preemptively create dummy rules for each Jellyfin user, then create a Notification Transport for each user, then create the Notification Rule for each user. Each one can use a Login Policy but will need to select an individual for the policy Binding.

Authentik Implementation

Creating Webhook Mapping Properties

You need to configure the Webhook Mappings in Customization -> Property Mappings.

We only need to create one Authorization mapping.

Hit Create -> Webhook Mapping. Call it Pangolin API Authorization.

The expression should be

return {
  "Authorization": "Bearer <token>",
  "Content-Type": "application/json"
}

For the Body mapping, you will have to create a mapping for each user you do this for, only because the priority needs to be specified and rules can't have the same priorties.

Hit Create -> Webhook Mapping. Call this Whitelist Jim's IP Body.

Set the Expression to

event = request.context['notification'].event
ip = getattr(event, 'client_ip', None)

return {
    "action": "ACCEPT",
    "match": "IP",
    "value": ip or "0.0.0.0",
    "priority": 100, # Should be the same as what it is set in pangolin
    "enabled": True
}

Creating Notification Transport

Click Events -> Notification Transports. We'll need a transport for each person we're doing this with.

Name -> jim-whitelist-ip-jellyfin-transport Mode -> Webhook URL -> https://pangolin-api.domain.com/v1/resource/1/rule/1 Body Mapping -> Whitelist Jim's IP Body Header Mapping -> Pangolin API Authorization

Tip

Remember to change the 1 values in the URL to the actual resource and rule IDs.

Now Click Events -> Notification Rules -> Create to create our first "notification".

Name -> Update Jims Jellyfin IP Group -> You can set this to the admin group. Doesn't really matter. Transport -> jim-whitelist-ip-jellyfin-transport Severity -> Alert (don't think this matters)

After Creating it, expand the row. If you haven't already created a Login policy, then hit Create and bind Policy, otherwise, you can hit Bind existing Policy.

For the policy, if you haven't created one, simply name it "Login Policy", and set the action to Login. You don't need anything else.

For the binding you need to also select the specific user this is for, i.e. Jim. That way we're only firing this specific event for Jim.

EDIT Ok, the previous method will not were per a user with a simply Event matching policy. We need to use a policy expression that both matches the event an the user ID. This can be done with the following expression:

event = request.context.get("event")

return (
    event is not None
    and event.action == "login"
    and event.user.get("pk") == 6
)

You're done! Now users can automatically whitelist their IP address enabling their client Jellyfin applications to work just fine with Pangolin without dealing with an auth redirection that the apps cannot support.

Comments