New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Basic Auth not working as expected for nginx-ingress / kubernetes #1353
Comments
Hello. I just grepped through the code and did not found any occurence of "WWW-Authenticate" which is a central part in http basic authentication (https://en.wikipedia.org/wiki/Basic_access_authentication). It looks like the advertised feature "Support of basic authentication for endpoints protected by single factor." it not implemented yet... |
We support 1FA via the header
Example for username bob, password foo:
(where Ym9iOmZvbw== is the base64 of |
@james-d-elliott thank you for clarify that. But thats not a complete solution in my case. I can´t change the behaviour of a third party component. This component support HTTP Basic Auth compareable with I don´t see any element in the chain third-party-client -> Nginx-Ingress -> Protected Backend which can add the relevant header information to match the requirments of authelia. Would it possible to support Basic Auth also in this style with authelia? Unfortunately i can´t support it with an PR - i am not a developer, |
I will have to think about an elegant solution. The main issue is supporting HTTP Basic Auth would be easy, other than the fact it would show regular users the browser auth popup dialogue if they were not authenticated rather than the pretty GUI. I can do some testing to see if I can detect the fact the client is offering auth when we do the curl though, if we can we can do this. We also allow rules to apply to single hosts, which depending on what this third party client is used for may work for you (i.e. daemon/service that queries a website). Additionally some services our users have used utilize an API with an API key, Usually served at domain.tld/api/ which can be bypassed since it's secured via API key (since I don't know what client/service I'm just trying to generate ideas to solve your particular case). Also if the third party client supports customizing the curl request all you should need to add is |
How about creating a new verify endpoint that is dedicated to basic auth (or alternatively a parameter on the existing endpoint like /api/verify?auth=basic)? That one would send a www-authenticate header and accept a Authorization header as answer. |
Just to add context, the reason we choose to allow basic auth against Authelia with the |
@nightah Thank you for clarification. I think, that's a very valid use case but another one than "simple" basic auth. |
@nightah Could that be set as an option in the policies? Most of the time, if we use Authelia for authentication/authorization it is because the web resource itself is not protected. You currently drive the global behaviour of Authelia, using Proxy-Authorization, around a minority use case. Most of the time we don't want the user to be aware that there is a proxy and that the authentication has to be handled in a different way. |
@Scapal there's obviously a couple different ways this could be addressed. This specific issue is limited to a Kubernetes deployment with nginx ingress because of the limitations of said instance of nginx. At a glance @micw's suggestion seems to be a reasonable one, adding either another endpoint or a parameter on the existing. I've got another bug with MSAD that I need to resolve as a priority and not too much spare time available to me at the moment. If anybody wants to pick this up contributions are definitely welcome! |
I'd like to help move this forward. I don't use k8s, but a client where I can only configure username and password. This client doesn't try to authenticate using basic auth unless it gets a What I'd love to be able to do is specify "basic" as a policy so that Authelia responds with |
@ThinkChaos my preference would probably be to go down the path of a query param on @james-d-elliott any preference from your perspective? |
Adding a param sounds like a bad idea to me because it requires clients to correctly parse out the param, and add it back when they add new segments to the base URL. The client I use fails this, and I think it's a pretty common bug. I think having a different endpoint is also less elegant than a policy: it requires configuring the reverse proxy to use the correct endpoint depending on the situation which can get complex very quickly. I see this as pushing some auth logic to the reverse-proxy instead of keeping it in authelia. Here are the advantages of the policy solution as I see it:
Being able to use rules would also easily solve the "should authelia present basic auth or pretty HTML" problem: users in the bot group get basic, the rest gets standard. |
@ThinkChaos we're still discussing this a little further within the team to determine the agreed way forward. At the moment we are leaning towards a global switch which changes the Having said that, with the limited information available regarding your use case I don't particularly think you fall in the same category as the users that have lodged this issue. Could you not solve your problem as it stands by bypassing authentication from that specific client that you describe? |
(sorry for the delay I thought I had already replied) I'm not sure I understand what you mean by "bypassing authentication from that specific client". Thinking about this some more I noticed my policy idea wouldn't actually be a solution for me: as the client doesn't preemptively authenticate, Authelia wouldn't be able to tell what user/group the request belongs to, and thus would be forced to use basic auth for all un-authenticated connections. If you go ahead with the |
@ThinkChaos what I mean is specifying a bypass rule for the IP address of your client, if it's a static IP or VPN subnet then this should be simple if the client has a dynamic IP this obviously won't work all that well. We're going to go down the path of providing a switch to make Authelia expect basic auth details in the You're welcome to contribute the change to provide basic auth with a query parameter. |
When `/api/verify` is called with `?auth=basic`, use the standard Authorization header instead of ProxyAuthorization.
When `/api/verify` is called with `?auth=basic`, use the standard Authorization header instead of Proxy-Authorization.
Yep I can't count on a static IP so that solution is not an option for me. I just created PR #1563 with the minor changes required for the |
When `/api/verify` is called with `?auth=basic`, use the standard Authorization header instead of Proxy-Authorization.
When `/api/verify` is called with `?auth=basic`, use the standard Authorization header instead of Proxy-Authorization.
When `/api/verify` is called with `?auth=basic`, use the standard Authorization header instead of Proxy-Authorization.
When `/api/verify` is called with `?auth=basic`, use the standard Authorization header instead of Proxy-Authorization.
When `/api/verify` is called with `?auth=basic`, use the standard Authorization header instead of Proxy-Authorization.
So upon doing some research for the helm chart into nginx ingress (I use traefik ingress for k8s), there is a actually a fairly undocumented method to configure the ingress that could theoretically provide a solution: nginxinc/kubernetes-ingress#873 (specifically that you can add completely custom directives to nginx using this method) |
When `/api/verify` is called with `?auth=basic`, use the standard Authorization header instead of Proxy-Authorization.
…erify (#1563) * [FEATURE] Add auth query param to /api/verify (#1353) When `/api/verify` is called with `?auth=basic`, use the standard Authorization header instead of Proxy-Authorization. * [FIX] Better basic auth error reporting * [FIX] Return 401 when using basic auth instead of redirecting * [TESTS] Add tests for auth=basic query param * [DOCS] Mention auth=basic argument and provide nginx example * docs: add/adjust basic auth query arg docs for proxies Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
@nightah could you please fix the typo in this issue's title to make sure this is easily discoverable via a search? :) |
@ThinkChaos done. |
Authelia is used inside kubernetes to protecd some services used by endusers with browser. Its working nice.
Additional some technical services has to be protected. At this time these are protected by http basic auth. Ingress looks like
https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
Watch at curl resonse:
WWW-Authenticate: Basic realm="Authentication Required - foo"
Now I want to replace this with an authelia basic auth protection like
https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/
My curl response does not contain WWW-Authenticate so that the browser never shows up the login popup.
Second step is more technial and i may not understand it completley.
If i authorize mysqlf with
curl https://domain.tld" -u "user:pass"
the information abaout the user does not show up in authelia logs.
At this point i would like to see an example how to paramterize nginx-ingress to put the basic auth credentials into the right header and format.
The text was updated successfully, but these errors were encountered: