-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Expose Authorization: Bearer
token when integrated with proxies.
#2922
Comments
I am also facing a similar requirement, being able to send the jwt down stream for validation and rbac purposes is very useful feature to have! |
This is something we've been thinking about however it's more important to get it right than to get the feature implemented quickly in this instance. I think the best solution will involve us creating an internal OIDC forward auth handler that allows Authelia performing the OpenID Connect Authorization flow itself. The client config would have to include an additional redirect URL, and the forward auth endpoint would include OIDC parameters. The Authorization Bearer header would just be a response header to the forward auth endpoint for the proxy to staple with the request similar to Remote-User etc. There are other ways to do it but I think enforcing the Authorization flow is ideal as it will prevent issues down the line and probably invoke less bugs.. it's just going to be quite a bit of work. |
Hi there, is there any progress to track if this going to happen? |
@james-d-elliott This should now function with the changes made in #6774 right? Ive been messing with it and while I now have the ability to get to the dashboard page following the docs here, but have been unable to get the Authorization header token to included as Im retuned the kubernetes-dashboard sign in modal. Im currently stuck wondering if Im misinterpreting what "Access Tokens can be granted which can be leveraged as bearer tokens for the purpose of authorization" means and its not actually supported yet? or am I doing it right on the authelia side, but am messing up my traefik proxy or is my authelia config just wrong... Im basically stuck not knowing how to debug from here. |
Those changes are not intended for this specific purpose, we would have closed it while merging it (code rabbit mistakenly identified it as related but it isn't). They are for authenticating with Authelia via token for the proxy integration. It'll make sense when you look at how you can use the client credentials grant type with it. It is something I'd like to do but I'm not 100% sure of the way I want to achieve it. I'm relatively sure the way k8s works and oauth2 proxy works is it uses the ID Token in bearer auth. |
Description
Currently Authelia send couple of HTTP headers (Remote-User, Remote-Name, Remote-Email, Remote-Groups) to backend when used with proxy.
Right now we have some OIDC support it Authelia, it would be nice if we would be able to provide
Authorization: Bearer <token>
header also. should be just JWT token, same as returned by Authelia when OIDC is used.This way, our backend apps could authorize users based on data provided by Authelia.
Use Case
Currently im using Authelia as SSO, Traefik as ingress and OAuth2-Proxy.
OAuth2-Proxy is only used to fetch token from Authelia (OIDC) and add
Authorization
Header. After that my backend apps (in this example kubernetes-dashboard), will use this token to authorize requests.Im using k3s as kubernetes platform, some examples here are my environment specific - but they should present general vision. Im using ansible to render all k8s yaml files, so inside there are variables used.
Authorization flow:
Authorization
header in requestAuthorization
header and pass it to k8s apiAuthorization
header with Authelia (validate JWT token)Traefik middlewares:
Traefik IngressRoutes:
Oauth2-Proxy:
K8s dashboard:
K8s api:
We need to point k8s-api to Authelia, so K8s will validate Bearer token:
Add those parameter to k3s startup script
Authelia config:
Whats wrong with this setup?
Authorization
header to proxy and remove Oauth2-Proxy, and Oauth2 middlewares from the picture.The text was updated successfully, but these errors were encountered: