Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add endpoint: use "Authorization"-header with HTML login page #2753

Closed
Simske opened this issue Dec 29, 2021 · 3 comments · Fixed by #4296
Closed

add endpoint: use "Authorization"-header with HTML login page #2753

Simske opened this issue Dec 29, 2021 · 3 comments · Fixed by #4296
Labels
area/security Security related issues priority/4/normal Normal priority items type/feature Request for adding a new feature

Comments

@Simske
Copy link

Simske commented Dec 29, 2021

Feature Request

Description

Currently there are two ways to login with headers:

  • using Proxy-Authorization header with default endpoint /api/verify
  • using Authorization header with endpoint /api/verify?auth=basic.
    But this sends WWW-authenticate when the login header is missing, triggering the basic auth login dialog.

I suggest a third endpoint (e.g. /api/verify?auth=both), which checks both for the Proxy-Authorization and Authorization header, and forwards to the HTML login page if none is found.

This is achievable with minimal code change, see PR #2754.

Use Case

Some apps need to be accessed by both human users (who want the HTML login page), and programs which have native support for basic authentication.

In some reverse proxies this is not needed (e.g. nginx with proxy_set_header Proxy-Authorization $http_authorization;), but some (e.g. Traefik) don't support renaming a header.

@Simske Simske added the type/feature Request for adding a new feature label Dec 29, 2021
@clems4ever
Copy link
Member

What is the application causing you troubles which is using Proxy-Authorization with no option to use Authorization instead?

@clems4ever clems4ever added the priority/4/normal Normal priority items label Jan 4, 2022
@Simske
Copy link
Author

Simske commented Jan 4, 2022

What is the application causing you troubles which is using Proxy-Authorization with no option to use Authorization instead?

I have a few services which rely on Authorization. It would be possible to switch them, but it seemed more convenient to do this server-side, which was quite easy with Nginx as the proxy. While switching to Traefik I didn't find a built-in way to do this on the reverse proxy (while it is possible to change some headers, renaming a header is not possible without plugins).

BUT: I found an easy workaround to this problem:
Assuming there are both a normal and a basic auth middleware defined:

- traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.example.com/
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email
- traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic
- traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email

On the endpoint which needs to use the "Authorization"-header without the basic-auth login prompt, two routers need to be set:

labels:
  - traefik.http.routers.service.rule=Host(`service.example.com`)
  - traefik.http.routers.service.middleware=authelia@docker
  - traefik.http.routers.service_basic.rule=Host(`service.example.com`) && HeadersRegexp(`Authorization`, `Basic .*`)
  - traefik.http.routers.service_basic.middleware=authelia-basic@docker

If a Autorization-header is present in a request, the service_basic-router will be used and the authentification will be performed by the basic-auth endpoint, while any request without it will use the normal Authelia endpoint.

Should I open a PR to add this to the docs? My request for the extra endpoint seems obsolete now.

@james-d-elliott
Copy link
Member

This will probably be implemented by PR4296

james-d-elliott added a commit that referenced this issue Jan 25, 2023
This allows users to customize the authz endpoints.

Closes #2753, Fixes #3716

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security Security related issues priority/4/normal Normal priority items type/feature Request for adding a new feature
Projects
None yet
3 participants