Feature: authentication via HTTP_REMOTE_USER #260
Conversation
https://docs.djangoproject.com/en/3.1/howto/auth-remote-user/ I think this is it? Better to use built-in stuff than making that yourself. |
Yea sorry I saw that and used it as reference (actually more this one: https://www.django-rest-framework.org/api-guide/authentication/ ) but at least for Authelia it’s One thought that occurs to me now is I can change this class to allow for both if you’d prefer that. |
https://docs.djangoproject.com/en/3.1/howto/auth-remote-user/#configuration, see
I haven't tested that, but the documentation reads as if this should be possible. You will also need to configure auth for both the django app as well as the rest framework, but apparently |
Aha thanks for explaining, I didn't quite realize authentication needs to be setup for both. I changed this to use I think this should be good, please let me know if you have any more thoughts, and thanks! |
Works. I tried to get authelia running to see this in action, but decided to just set the HTTP_REMOTE_USER env variable for testing. What are the chances that users need the evironment variable to actually be What about logout, how is that handled with authelia? |
Yea there are other SSO applications that do use Logout is done via Authelia at the same URL you setup to login, e.g. login.example.com |
@shamoon @jonaswinkler I just want to say thanks very much for doing this, forward auth is absolutely something that I wanted. However I'm having trouble getting it working. I have Forward auth working with grafana using Remote-User, but can't seem to get it working simultaneously with paperless. Does this have to do with the fact that Grafana uses Remote-User? grafana.ini
Traefik middlewares.yaml
Do I need to create a new forwardauth middlewares with
How can I get Remote-User and HTTP_REMOTE_USER working side by side? There's no documentation on it, so if I can get it working I'll add the instructions to the documentation. |
No, I have it setup basically the same way and its working. You set the |
I have no Idea about these things. #677 Will allow customizing the name of the header which paperless will look for if |
Yeah I have it set to true, I'll keep futzing about with it. Shamoon, could you share your config files where relevant? So I can make sure I'm not messing something up?
|
Hmm, yea my guess would be somewhere in your authelia/traefik config? Just tested again to make sure Im not crazy 🤪 and its working for me, but yea this stuff is kind of opaque. I use labels not configs but here's the only relevant stuff, I think:
|
So looks like the X-Authenticated-User was part of the problem. I can get past the normal login page, but when I then click "Documents" I get prompted for basicAuth. Will keep trying. Edit: There's also some weird behavior around my admin account. Authelia is backed by LDAP for me, but I don't have an admin user. If I login to the admin page with my admin user (paperless only), it keeps kicking me out and I can't complete any actions. I need to have matching users in paperless right? Edit2: It looks like if I pass auth from a user in Authelia that doesn't exist in paperless, paperless will auto create the user but with no password (so can't login). Still running into the basic auth issue. Any ideas? |
I've been trying to configure Paperless with Authelia, the user part works just fine. However I have an issue accessing admin part of the site, as it seems there is no way to assign admin role to an account obtained from SSO. I have configured Authelia to bypass /admin/* and /static/admin/*, and if I'm not logged in in SSO it works, I can logon into admin site with local admin account. However, if I'm logged in into SSO, this won't work, because SSO still adds headers and Remote-User header takes precedence and I can no longer login with local admin account. What option do we have to make this works? Ideally Paperless should also respect Remote-Group header, and map it in to local groups. or ignore Remote-User header for admin part of the site? I'll try to remove SSO headers but it will be non-intuitive. Regards |
@p-v-a If you create the user in paperless cant you assign admin role? |
Hi Shamoon, It works, though it's inconvenient, it's chicken and egg problem. If I configure Authelia, I can no longer login into admin part, or with local credentials. So I have to configure Authelia, login once, disable Authelia, login with local credentials, add Admin role to the user, re-enable Authelia. I know it's one off task, but still. It would be nice if I can assign group or role based of Remote-Groups. For now I created conditional forwarding via Authelia, but it's really ugly. I have to configure two ingresses so I can bypass Authelia altogether for admin admin path, because otherwise headers takes priority over local logins, and I can't login into admin part with local admin credential. |
This PR adds support for authenticating via HTTP_REMOTE_USER which is set by some SSO applications, in my case, Authelia. Also see #142 (comment) . This PR adds:
PAPERLESS_ENABLE_HTTP_REMOTE_USER
to enable this feature, by default its disabledIts pretty simple really but wanted to run it by you @jonaswinkler first. Thanks as always for any help / feedback!