Is is possible to import an application upon starting authentik?

[benmarte]

I'm using authentik in docker-compose and I am trying to have it automatically setup my application and provider upon startup but I have not been successful in finding any information regarding this.

I see there are blueprints but I'm not sure if this will work for what I want to achieve, any information regarding this matter will be greatly appreciated.

Thanks.

[terchris]

Hi, I'm not sure how to implement this in Docker Compose. However, I managed to do it using the Helm chart for Kubernetes installation.

For debugging, i use https://hub.docker.com/r/traefik/whoami
This is how I set up a blueprint for it.

In the helm chart values, declare the blueprint to be loaded:

# Blueprint system configuration
blueprints:
  # List of ConfigMaps containing blueprints
  # Only keys ending with .yaml will be discovered and applied
  configMaps:
    - "whoami-forward-auth-blueprint"

This is the manifests file

# File: manifests/073-authentik-whoami-blueprint.yaml
#
# Description:
# Authentik blueprint that automates the configuration of whoami application
# Creates application, proxy provider, and outpost assignment for forward authentication
# MUST be applied BEFORE deploying Authentik with Helm
#
# Usage:
#   kubectl apply -f 073-authentik-whoami-blueprint.yaml
#
# Prerequisites:
# - Authentik namespace must exist
# - This blueprint will be automatically discovered and applied when Authentik starts
#
# This blueprint replaces these manual UI steps:
# 1. Create Application (name: whoami, slug: whoami)
# 2. Create Proxy Provider (name: whoami-provider, forward auth mode)
# 3. Link Provider to Application
# 4. Assign Application to Embedded Outpost

apiVersion: v1
kind: ConfigMap
metadata:
  name: whoami-forward-auth-blueprint
  namespace: authentik
  labels:
    app.kubernetes.io/name: authentik
    app.kubernetes.io/component: blueprint
    blueprints.goauthentik.io/instantiate: "true"
data:
  whoami-simple.yaml: |
    # yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
    version: 1
    metadata:
      name: "Complete Whoami Forward Auth Setup"
      labels:
        blueprints.goauthentik.io/instantiate: "true"
    
    context: {}
    
    entries:
      # Create the proxy provider first (referenced by application)
      - model: authentik_providers_proxy.proxyprovider
        state: present
        identifiers:
          name: "whoami-provider"
        attrs:
          name: "whoami-provider"
          mode: "forward_single"
          external_host: "http://whoami.localhost"
          access_token_validity: "hours=24"
          token_validity: "hours=24"
          refresh_token_validity: "days=30"
          intercept_header_auth: true
          internal_host_ssl_validation: false
          authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
          invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
          
      # Create the application and link it to the provider
      - model: authentik_core.application
        state: present
        identifiers:
          slug: "whoami"
        attrs:
          name: "whoami"
          slug: "whoami"
          meta_launch_url: "http://whoami.localhost"
          policy_engine_mode: "any"
          provider: !Find [authentik_providers_proxy.proxyprovider, [name, whoami-provider]]
          
      # Assign the application to the embedded outpost
      - model: authentik_outposts.outpost
        state: present
        identifiers:
          name: "authentik Embedded Outpost"
        attrs:
          name: "authentik Embedded Outpost"
          type: "proxy"
          providers:
            - !Find [authentik_providers_proxy.proxyprovider, [name, whoami-provider]]

There is room for improvement in the doc for blueprints.