-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to use bypass policy with basic authentication #3716
Comments
Thanks for filing the issue. Looking at the code we can confirm the scenario you suggested, so this is indeed a bug. We'll refactor this to fix the issue and ensure that we have appropriate integration tests for this scenario. |
Thank you very much for your response. |
I stumbled upon this behavior also and my use case is pretty much identical to the one described in the first post. So a fix would be awesome, thanks alot in advance! |
As this issue is closed, I assume the issue is supposed to be fixed, right? I tested with latest master but it still happens for me. I just played around with a very simple config that basically should always bypass:
When I access a domain using basic auth then I still need to login. I would have expected Authelia would just pass me through. The log:
...
|
@WiiPlayer2 |
It's fixed with the new authz endpoints. |
Just wanted to drop a quick add to this (I'm not sure if this is expected behavior), if I have two domains listed separately, as in:
Everything works as expected. If, however, I attempt to "compact" these rules into a domain_regex, it gives the following in the logs:
Is that expected behavior? I have no issue listing them separately (as I have running currently) but I thought I'd mention that domain_regex breaks the bypass rules unexpectedly (for me, at least). |
This is unrelated to the original issue, I'd suggest opening a discussion and include your full ACL's as with most functionality within authelia this is tested and unlikely to be a bug. |
Ahh, while gathering data to open a discussion, I stumbled upon the cause. Order matter, friends. I had a match higher up the chain that was interfering, so when I moved these rules to the top (domain or domain_regex...didn't matter), everything worked as expected. Sorry for the noise! |
Figured it'd be that or a problem with the regex. Glad you sorted it. No worries. For reference this discusses this issue in detail: https://www.authelia.com/configuration/security/access-control/#rule-matching-concept-1-sequential-order |
Bug Report
Description
I have a service for which I need basic authentication when accessed from outside my cluster but when inside my cluster the authentication should be bypassed. Using "normal" authentication everything works as intended but then the service is unusable from the outside because the
Authorization
header is not used. Using basic authentication I can authenticate myself from outside the cluster but requests inside it get anUnauthorized
as response.If it's relevant: I'm using traefik, authelia and whoami inside a kubernetes cluster + an external ldap backend.
Note: I probably already saw the relevant method(s) in handler_verify.go#399 but I'm not proficient in go (yet).
Expected Behaviour
Authelia authorizes requests inside the cluster but not outside it.
Reproduction Steps
N/A
Additional Information
access_control section:
It might be (almost) enough to move the
isTargetURLAuthorized
call above the error check or handle a missingAuthorization
header as an anonymous user like when using a session cookie.The text was updated successfully, but these errors were encountered: