Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allowing Custom SSO Auth Header #468

Closed
dohsimpson opened this issue Mar 8, 2024 · 2 comments · Fixed by #472
Closed

Allowing Custom SSO Auth Header #468

dohsimpson opened this issue Mar 8, 2024 · 2 comments · Fixed by #472

Comments

@dohsimpson
Copy link

Amazing project! I'm very thrilled to be trying out the new SSO Auth Header feature.

I noticed a small hiccup when integrating with Athelia:

Athelia uses the Remote-User and Remote-Email instead of X-Email as auth header returned to reverse proxy: https://www.authelia.com/integration/trusted-header-sso/introduction/#response-headers

This means that the SSO won't work out of the box with Authelia.

Adding a new env parameter for header name would provide this flexibility.
@BobDu
Copy link
Member

BobDu commented Mar 9, 2024

Thank you for your feedback. In fact, using the following configuration should work properly.

## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /authelia;

## Set the $target_url variable based on the original request.

## Comment this line if you're using nginx without the http_set_misc module.
set_escape_uri $target_url $scheme://$http_host$request_uri;

## Uncomment this line if you're using NGINX without the http_set_misc module.
# set $target_url $scheme://$http_host$request_uri;

## Save the upstream response headers from Authelia to variables.
auth_request_set $email $upstream_http_remote_email;

## Inject the response headers from the variables into the request made to the backend.
proxy_set_header X-Email $email;

## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 =302 https://auth.example.com/?rd=$target_url;

Different from the examples in Authelia's documentation,
it uses proxy_set_header X-Email $email; instead of proxy_set_header Remote-Email $email;.

https://www.authelia.com/integration/proxies/nginx/#authelia-authrequestconf

@dohsimpson
Copy link
Author

This would be an elegant solution for Nginx reverse proxy user, thanks for sharing!

My use case is a bit different, I'm using Kubernetes + nginx ingress controller, which has a more convoluted syntax and less documentation on this topic.

In case it helps someone, here's how to configure nginx ingress annotations to pass X-Email in addition to Remote-Email:

nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-snippet: |
  proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $email $upstream_http_remote_email;
  proxy_set_header X-Email $email;

@BobDu would you consider accepting a PR to make the auth header configurable, I feel that this could be beneficial for people with different proxy setups.

@BobDu BobDu mentioned this issue Mar 9, 2024
Merged
@BobDu BobDu closed this as completed Mar 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support custom auth proxy header name BobDu/chatgpt-web-fork
2 participants
@dohsimpson @BobDu