-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add endpoint: use "Authorization"-header with HTML login page #2753
Comments
What is the application causing you troubles which is using Proxy-Authorization with no option to use Authorization instead? |
I have a few services which rely on Authorization. It would be possible to switch them, but it seemed more convenient to do this server-side, which was quite easy with Nginx as the proxy. While switching to Traefik I didn't find a built-in way to do this on the reverse proxy (while it is possible to change some headers, renaming a header is not possible without plugins). BUT: I found an easy workaround to this problem: - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.example.com/
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email
- traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic
- traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email On the endpoint which needs to use the "Authorization"-header without the basic-auth login prompt, two routers need to be set:
If a Should I open a PR to add this to the docs? My request for the extra endpoint seems obsolete now. |
This will probably be implemented by PR4296 |
Feature Request
Description
Currently there are two ways to login with headers:
Proxy-Authorization
header with default endpoint/api/verify
Authorization
header with endpoint/api/verify?auth=basic
.But this sends
WWW-authenticate
when the login header is missing, triggering the basic auth login dialog.I suggest a third endpoint (e.g.
/api/verify?auth=both
), which checks both for theProxy-Authorization
andAuthorization
header, and forwards to the HTML login page if none is found.This is achievable with minimal code change, see PR #2754.
Use Case
Some apps need to be accessed by both human users (who want the HTML login page), and programs which have native support for basic authentication.
In some reverse proxies this is not needed (e.g. nginx with
proxy_set_header Proxy-Authorization $http_authorization;
), but some (e.g. Traefik) don't support renaming a header.The text was updated successfully, but these errors were encountered: