New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an "is in group" verification endpoint #84
Comments
Oh, btw, the way Traefik does authentication from version 1.4 (unsupported before 1.4) is that if it is a 2XX error code, it continues, otherwise it returns the authentication server's response, so to get Traefik working with Authelia, an nginx proxy layer has to be running which converts 401 responses to 302 forwards. |
Hello @SerialVelocity, I don't get exactly what you are trying to solve here. Is it the fact that the nginx block is not automatically generated for you or any issue while authenticating some user by his/her group? Btw, Authelia is not meant to be bound to any reverse proxy so it is expected that Authelia's container does not generate the proxy block for nginx in particular and that you should convert the response in each specific proxy (be it nginx, Traefik or any other). |
Can you please clarify the title and/or split the ticket for treating the issues separately? |
So, it would be nice to have an endpoint like Main use-case: Without Authelia, all of my routing config lives in the service configuration. For instance, to add things to my NGINX front-door, I add Hope this makes it clearer. You can ignore the second post, I already created a ticket about that :) |
Hello @SerialVelocity, I agree that defining specific endpoints for that matter would allow you to handle the access control at the level of the proxy but unfortunately it does not prevent you to change Authelia's config anyway since Authelia needs at least the global domain to create correct session cookies. Isn't it a problem for you? |
Things like the global domain are unlikely to change and therefore are fine to set in config. Variables like that are usually thought about as constants. Containers change more often. The main use-case is to centralise the subdomain configuration so when adding a new subdomain you don't need to change NGINX, DNS, auth, etc. Another way of putting this is, things you define once for Authelia (like global domain) as fine. Things that you define once per subdomain/path are the issue. An alternative way of doing this, is to add support for backends. For instance, traefik supports many backends ranging from file to Kubernetes or Rancher. That is a huge investment though so probably not worth it. |
I see your point. I will implement a new endpoint where one could combine parameters 'users' and 'groups' in the query. With nginx, it would give you the same level of granularity for access control as the new embedded per-resource mechanism I merged yesterday (not true for Traefik since the forwarded auth request is a global config applying to all the frontends). So I guess after the new endpoint is implemented, one could go one way or the other simply depending on the use case. |
was this ever implemented? oauth2_proxy deals with that in a very nice way - you just append ?allowed_groups=admin to /auth endpoint, basically the same as OP said |
I am also looking for exactly this and am actually considering switching to a different solution if it doesn't exist. |
The OP's feature request wasn't no. If some additional context is given that would help identify the feature expected, I'd be willing to spend some time getting something like this to work. Additionally there have been multiple ideas discussed here. The specific concern I have is how should a request like this actually be authorized, is it based on only the criteria of the endpoint itself? Or is it expected the ACL also be taken into account? I feel like there is a lot of room here for misconfiguration and misunderstandings. If you'd like you can reply here or chat on our matrix server/discord server if that's easier. The most logical approach I can see without making it hard to maintain is:
|
Hey,
It would be great if it was possible to verify whether a user was in a group (similar to your /verify endpoint but for groups instead of users).
Use-case
When using software such as rancher/traefik/docker-gen, you try and keep all configuration for that service together.
For instance, you add a label to your docker container for traefik like:
and that will expose your application on the host
test.traefik.io
.Custom labels can be used by docker-gen (and soon traefik will do something similar) to generate blocks to insert into their nginx configuration. One example of this would be adding a label such as
virtual.auth.group: admin
would generate a block to add to nginx such as:and this would make it so only people in the admin group can access the secured endpoints.
Cheers,
Ben
The text was updated successfully, but these errors were encountered: