events: add option to configure webhook CA

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Author: BeryJu

authentik/events/api/notification_transports.py

@@ -63,6 +63,7 @@ class Meta:
             "mode",
             "mode_verbose",
             "webhook_url",
+            "webhook_ca",
             "webhook_mapping_body",
             "webhook_mapping_headers",
             "email_subject_prefix",

authentik/events/migrations/0017_notificationtransport_webhook_ca.py

@@ -0,0 +1,26 @@
+# Generated by Django 5.2.12 on 2026-03-10 10:40
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_crypto", "0006_certificatekeypair_cert_expiry_and_more"),
+        ("authentik_events", "0016_alter_event_action"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="notificationtransport",
+            name="webhook_ca",
+            field=models.ForeignKey(
+                default=None,
+                help_text="When set, the selected ceritifcate is used to validate the certificate of the webhook server.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_crypto.certificatekeypair",
+            ),
+        ),
+    ]

authentik/events/models.py

@@ -28,6 +28,7 @@
     SESSION_KEY_IMPERSONATE_USER,
 )
 from authentik.core.models import ExpiringModel, Group, PropertyMapping, User
+from authentik.crypto.models import CertificateKeyPair
 from authentik.events.context_processors.base import get_context_processors
 from authentik.events.utils import (
     cleanse_dict,
@@ -41,6 +42,7 @@
 from authentik.lib.utils.errors import exception_to_dict
 from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.time import timedelta_from_string
+from authentik.outposts.docker_tls import DockerInlineTLS
 from authentik.policies.models import PolicyBindingModel
 from authentik.root.middleware import ClientIPMiddleware
 from authentik.root.ws.consumer import build_user_group
@@ -326,6 +328,16 @@ class NotificationTransport(TasksModel, SerializerModel):
     email_template = models.TextField(default=EmailTemplates.EVENT_NOTIFICATION)
 
     webhook_url = models.TextField(blank=True, validators=[DomainlessURLValidator()])
+    webhook_ca = models.ForeignKey(
+        CertificateKeyPair,
+        null=True,
+        default=None,
+        on_delete=models.SET_DEFAULT,
+        help_text=_(
+            "When set, the selected ceritifcate is used to "
+            "validate the certificate of the webhook server."
+        ),
+    )
     webhook_mapping_body = models.ForeignKey(
         "NotificationWebhookMapping",
         on_delete=models.SET_DEFAULT,
@@ -409,21 +421,29 @@ def send_webhook(self, notification: Notification) -> list[str]:
                     notification=notification,
                 )
             )
-        try:
-            response = get_http_session().post(
-                self.webhook_url,
-                json=default_body,
-                headers=headers,
-            )
-            response.raise_for_status()
-        except RequestException as exc:
-            raise NotificationTransportError(
-                exc.response.text if exc.response else str(exc)
-            ) from exc
-        return [
-            response.status_code,
-            response.text,
-        ]
+
+        def send(**kwargs):
+            try:
+                response = get_http_session().post(
+                    self.webhook_url,
+                    json=default_body,
+                    headers=headers,
+                    **kwargs,
+                )
+                response.raise_for_status()
+            except RequestException as exc:
+                raise NotificationTransportError(
+                    exc.response.text if exc.response else str(exc)
+                ) from exc
+            return [
+                response.status_code,
+                response.text,
+            ]
+
+        if self.webhook_ca:
+            with DockerInlineTLS(self.webhook_ca) as tls:
+                return send(verify=tls.verify)
+        return send()
 
     def send_webhook_slack(self, notification: Notification) -> list[str]:
         """Send notification to slack or slack-compatible endpoints"""

authentik/outposts/docker_tls.py

@@ -27,6 +27,12 @@ def __init__(
         self.authentication_kp = authentication_kp
         self._paths = []
 
+    def __enter__(self):
+        return self.write()
+
+    def __exit__(self, exc_type, exc, tb):
+        self.cleanup()
+
     def write_file(self, name: str, contents: str) -> str:
         """Wrapper for mkstemp that uses fdopen"""
         path = Path(gettempdir(), name)

blueprints/schema.json

@@ -8236,6 +8236,12 @@
                     "type": "string",
                     "title": "Webhook url"
                 },
+                "webhook_ca": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Webhook ca",
+                    "description": "When set, the selected ceritifcate is used to validate the certificate of the webhook server."
+                },
                 "webhook_mapping_body": {
                     "type": "string",
                     "format": "uuid",

schema.yml

@@ -43552,6 +43552,12 @@ components:
         webhook_url:
           type: string
           format: uri
+        webhook_ca:
+          type: string
+          format: uuid
+          nullable: true
+          description: When set, the selected ceritifcate is used to validate the
+            certificate of the webhook server.
         webhook_mapping_body:
           type: string
           format: uuid
@@ -43595,6 +43601,12 @@ components:
         webhook_url:
           type: string
           format: uri
+        webhook_ca:
+          type: string
+          format: uuid
+          nullable: true
+          description: When set, the selected ceritifcate is used to validate the
+            certificate of the webhook server.
         webhook_mapping_body:
           type: string
           format: uuid
@@ -49297,6 +49309,12 @@ components:
         webhook_url:
           type: string
           format: uri
+        webhook_ca:
+          type: string
+          format: uuid
+          nullable: true
+          description: When set, the selected ceritifcate is used to validate the
+            certificate of the webhook server.
         webhook_mapping_body:
           type: string
           format: uuid

web/src/admin/events/TransportForm.ts

@@ -3,6 +3,7 @@ import "#components/ak-switch-input";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
+import "#admin/common/ak-crypto-certificate-search";
 
 import { DEFAULT_CONFIG } from "#common/api/config";
 
@@ -142,6 +143,20 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
                 ?required=${this.showWebhook}
             >
             </ak-hidden-text-input>
+            <ak-form-element-horizontal
+                ?hidden=${!this.showWebhook}
+                label=${msg("Webhook Certificate Authority")}
+                name="webhookCa"
+            >
+                <ak-crypto-certificate-search
+                    .certificate=${this.instance?.webhookCa}
+                ></ak-crypto-certificate-search>
+                <p class="pf-c-form__helper-text">
+                    ${msg(
+                        "Keypair used to validate the certificate of the webhook endpoint. When not configured, the standard CA bundle is used.",
+                    )}
+                </p>
+            </ak-form-element-horizontal>
             <ak-form-element-horizontal
                 ?hidden=${!this.showWebhook}
                 label=${msg("Webhook Body Mapping")}