New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add http header auth #457
Add http header auth #457
Conversation
Thanks for the PR, I think this is an useful feature and a clever way to offload authentication to a reverse proxy or middleware. It would be good to have test cases that exercise the code in
^ I'd prefer the code to complain loudly here – print a message saying |
Added the warning as requested. Tests for the custom header backend is also a good idea, I'll get to that this weekend probably. The most important test will be to make sure it doesn't accept logins when it's supposed to be disabled. |
And there we go :) |
Thanks, looking into this now! It takes a bit of time to wrap the head around how all the pieces fit together. First a small observation: "ID" matches the user by username, "EMAIL" matches by email. For the sake of consistency, I'd rename "ID" to "USERNAME". There's an id column in the Next, it took me a bit of time to understand how
For your use case, are you planning to authenticate by username or by email? If it's by email, perhaps we can start off with supporting just the 'EMAIL' mode? In
|
Yep, my use case uses the email mode. I mostly included the ID mode because it was the behavior my initial attempt (using the default backend) produced and I figured I may as well preserve access to it. I can see how not having an email available might be a problem, but I’m not sure the best way to handle it. The best I can come up with would be to allow the admin to specify either a shell command or a Python snippet to execute to retrieve the email from the ID. An example use case might be if the ID header is an LDAP UID, to run |
Rather than looking up emails in an external system, I'd rather relax the "everyone has an unique email address" assumption. Instead, treat But I don't want to do that right now – ;et's start with the 'EMAIL' mode only, and look into adding a I can take your PR, edit the 'ID' mode out it and merge – is that OK with you? |
Add extra header type sanity check to the backend
- remove the 'ID' mode - add CustomHeaderBackend to AUTHENTICATION_BACKENDS conditionally - rewrite CustomHeaderBackend and CustomHeaderMiddleware to use less inherited code - add more test cases
Works for me :) |
@Phyxius Sorry to bring this up here but I couldn't find a more suitable place. I can't get the authentication to work, the doc is quite unclear regarding the setup:
I know my setup with treafik works and the |
@mumrau Let's assume Traefik adds a header: In Healthchecks, you would set With that in place, if you visit the site you should then get automatically logged in as alice@example.org. As mentioned in the docs, make sure clients cannot pass Custom-Header themselves. If they can, they can impersonate any user. |
hi @cuu508 I am setting the header like this |
Similar issue here. I use Authentik with Traefik. So my header should be REMOTE_USER_HEADER="HTTP_X_AUTHENTIK_EMAIL", but that doesn't work. I'm not getting logged in either. Did you managed to solve this? I also use the same setup on HomeAssistant with header authentication. So i know the header gets propagated. Also tried it with static custom traefik headers. |
As an experiment, I just started the development server like so:
And I then made a curl call like so:
I got back a HTML response of the logged in page listing user's projects. So that seemed to work. @dharmendrakariya, @axelcypher you could try the same experiment: make a curl call directly to the healthchecks instance, bypassing Traefik, and passing in the X-Authentik-Email header manually, and see what you get back. This will tell you if Traefik is not passing the header, or if Healthchecks is not handling it as expected. |
I am sorry but I am out of this, been a year and honestly I don't remember what I was trying to achieve. |
@dharmendrakariya sorry – didn't realize your comment is 1 year old when I tagged you! |
@cuu508 I confirm, its working as you said. |
Thanks for the fast reply. I should mention that i use the docker image. Tried to test it with curl, but same result. I'm not getting logged in... could that have something to do with the docker version? |
I confirm @cuu508 , it works behind proxy(Traefik) as well. You can try the same. just FYI I am adding my traefik values
Let me know if you want my |
### EDIT: |
I wanted to self-host healthchecks and integrate it with my central authentication system (see #185), so rather than develop something specific to my needs, I added support for HTTP header-based authentication. This way, people can integrate whatever auth system they want (LDAP, mTLS, SAML, OAuth, whatever) at the reverse proxy level and remove the need for healthchecks to care about the implementation details.
I added two new settings (with corresponding environment variables):
REMOTE_USER_HEADER
— set this to the header you wish to authenticate with. HTTP headers will be prefixed withHTTP_
and have any dashes converted to underscores. Headers without that prefix can be set by the WSGI server itself only, which is more secure.REMOTE_USER_HEADER_TYPE
— If set toEMAIL
, the specified header will be treated as the user's email. If set toID
, the specified header will be set to the user's UUID. Any other value (including empty, the default) disables header-based authentication.