Auth with trusted HTTP Header

[jamesread]

This was originally the design for auth support in #30 - which grew too big. Moving the discussion here. See #30 (comment) for context.

As @jacksgt points out - I did get half way through implementing this (in 0335e58 and probably some other commits), but it needs docs support, and some testing.

@jacksgt - it would be good if you're able to test this with you setup - I don't have a reverse proxy currently configured that supports auth via headers (I will set one up - but I'm limited on time!).

• Document trusted HTTP Header support docs.olivetin.app#10
• Add some tests for trusted HTTP Header auth

[jacksgt]

Hey, thanks for your time and effort!

I will take a look at the items listed above in the coming days / weeks.

[Typhonragewind]

I did test this with my setup (some other applications already use this kind of auth) and it doesn't seem to be working. I'm unsure why though, the logs are not very informative on this one

[jamesread]

@Typhonragewind hey, what setup (proxy, proxy config, and OliveTin config) are you using please? Let's debug it together.

[Typhonragewind]

@Typhonragewind hey, what setup (proxy, proxy config, and OliveTin config) are you using please? Let's debug it together.

As my reverse proxy i use SWAG coupled with Authentik with the following config for OliveTin:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name tin.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;

    # enable for Authentik (requires authentik-location.conf in the location block)
    include /config/nginx/authentik-server.conf;

    location / {
        # enable for Authentik (requires authentik-server.conf in the server block)
        include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app lan_ip;
        set $upstream_port 1337;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

}

The content of authentik_location is:

## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource.
auth_request /outpost.goauthentik.io/auth/nginx;
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 = @goauthentik_proxy_signin;

## Translate response headers from Authentik into variables
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
auth_request_set $authentik_username $upstream_http_x_authentik_username;

## Inject the response header variables into the request made to the actual upstream
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
proxy_set_header X-authentik-username $authentik_username;

## Include the Set-Cookie header if present.
auth_request_set $set_cookie $upstream_http_set_cookie;
add_header Set-Cookie $set_cookie;

My Olivetin config is:

# Choose from INFO (default), WARN and DEBUG
logLevel: "INFO"

AuthHttpHeaderUsername: "X-authentik-username"

defaultPermissions:
    view: false
    exec: false

accessControlLists:
    - name: Admin
      addToEveryAction: true
      matchUsernames:
      - typhon
      permissions:
        view: true
        exec: true

    - name: "user2"
      matchUsernames:
      - "user2"
      permissions:
        view: true
        exec: true

    - name: "user3"
      matchUsernames:
      - "user3"
      permissions:
        view: true
        exec: true

# Actions (buttons) to show up on the WebUI:
actions:   
  # This will send 1 ping (-c 1)
- title: Ping Google.com
  shell: ping google.com -c 1
  icon: ping

- title: Restart Foundry (user3)
  shell: docker restart foundry_user3
  icon: "🔄"
  timeout: 30
  acls:
     - "aez"

#- title: Restore Last Backup Foundry (user3)
 # shell: /docker_volumes/management/foundry_user3_restorebackup.sh
  #icon: "♻"
  #timeout: 30

- title: Restart Foundry (Typhon)
  shell: docker restart foundry
  icon: "🔄"
  timeout: 30

- title: Restart Foundry (user2)
  shell: docker restart foundry_user2
  icon: "🔄"
  timeout: 30
  acls:
     - "user2"

[jamesread]

Just a note that the logs have been considerably improved in the 2023.11.21 release to help debug trusted header Auth.

[Typhonragewind]

Just a note that the logs have been considerably improved in the 2023.11.21 release to help debug trusted header Auth.

Sure, i'll update and report soon!

[jamesread]

https://docs.olivetin.app/trusted-header.html

@jacksgt @Typhonragewind Would you be willing to help test with a recent OliveTin release?

[Typhonragewind]

https://docs.olivetin.app/trusted-header.html

@jacksgt @Typhonragewind Would you be willing to help test with a recent OliveTin release?

I've been pretty swamped with life in general, but I'll try to do it this weekend!

[jamesread]

No hurry @Typhonragewind - we all have that problem! :-) I'll leave the issue open until we all resolve it!

[Typhonragewind]

@jamesread So, i updated and tested it out, still no luck.

I checked the logs and it seems the problem is on my side xD

level="warning" msg="Config has AuthHttpHeaderUsername set to X-authentik-username, but it was not found"

Thanks for looking into this with me!

[jamesread]

So that sounds like your authentik proxy isn't sending that header to OliveTin - as it's complaining it can't find that header in the request.

What does your authentik config look like, if you can share it?

[Typhonragewind]

So that sounds like your authentik proxy isn't sending that header to OliveTin - as it's complaining it can't find that header in the request.

Yep,I'm now investigating this and how to fix it.

What does your authentik config look like, if you can share it?

I use authentik alongside docker-SWAG. And by the settings i've configured it should be passing the headers, but it's not. What config specifically are you looking for? Authentik is huge and configs are not contained in a single file, as far as i know xD

[jamesread]

Okay, you can enable more logging in OliveTin to help you out;

logDebugOptions: 
    singleFrontendRequests: true
    singleFrontendRequestHeaders: true

Then you can see exactly what OliveTin is being sent by your proxy.