Implement RFC 2617, WWW-Authenicate header when status is 401 about authelia-basic-2fa HOT 11 CLOSED

@ViRb3 I mention you so you will for sure get a notification. :)

from authelia-basic-2fa.

Hey there, thanks for taking interest in this project.

If you are following the official Authelia proxy integration guide, you should have a statement like this (nginx):

error_page 401 =302 https://auth.website.com/?rd=$target_url;

This will redirect the user to the Authelia login page if they are not authenticated. By merging your PR, two things will happen;

1. The header won't travel back to the user unless explicitly defined in the reverse proxy.
2. If the header is set to travel back to the user, it will prompt basic auth, conflicting with the redirection statement above.

Since for most use cases we want people to use the Authelia login portal, I don't think that it's a good idea to add this header in authelia-basic-2fa. Instead, it can be added as needed in the reverse proxy configuration. Here's how I match the user agent to decide whether the user should be redirected (if using a browser) or basic auth should be prompted (VLC, etc.):

location @basic_auth_prompt {
    internal;
    add_header "WWW-Authenticate" "Basic realm=\"Restricted Content\"" always;
    return 401;
}

location / {
	if ($http_user_agent ~* "vlc|kodi") {
		error_page 401 = @basic_auth_prompt;
	}
	...
}

Please let me know if there's a use case that I'm not accounting for.

from authelia-basic-2fa.

from authelia-basic-2fa.

Hey. As I mentioned before, I don't have any experience with Traefik, so unfortunately I can't help with configuring it. What I'm trying to say, though, is that you have to choose one of two responses to unauthorized access:

• Redirect to login page (302)
• Show basic auth prompt (401 + header)

You can't have both at the same time, or at least I'm unaware how. If you force the header from authelia-basic-2fa, then you can't have redirection. So, in my opinion, the best solution is to delegate the redirect/basic auth decision to the reverse proxy, like I described above. Again, I don't know how to do this in Traefik, but it should be possible. You are always welcome to use nginx instead or to contribute documentation on how to set up Traefik. If you have a better idea I am all ears.

from authelia-basic-2fa.

Hey. As I mentioned before, I don't have any experience with Traefik, so unfortunately I can't help with configuring it. What I'm trying to say, though, is that you have to choose one of two responses to unauthorized access:

• Redirect to login page (302)
• Show basic auth prompt (401 + header)

You can't have both at the same time, or at least I'm unaware how. If you force the header from authelia-basic-2fa, then you can't have redirection. So, in my opinion, the best solution is to delegate the redirect/basic auth decision to the reverse proxy, like I described above. Again, I don't know how to do this in Traefik, but it should be possible. You are always welcome to use nginx instead or to contribute documentation on how to set up Traefik. If you have a better idea I am all ears.

Even without the prompt, I'm not redirected to the auth, via the container and Traefik so cannot comment on that.

from authelia-basic-2fa.

There must be something wrong with your setup, redirection works as expected for me with nginx. You will probably have to tell Traefik to handle 401 as a redirection to the portal.

from authelia-basic-2fa.

That's entirely possible, but point is that it should be implemented, but could be a passeable parameter for it or something like that so a user can choose it, or a ENV variable to set which one is used.

from authelia-basic-2fa.

It seems that there is going to be support for this in authelia directly.

Ref: authelia/authelia/pull/1563

from authelia-basic-2fa.

Thanks for the heads up! I'll make sure to update this proxy to support that.

from authelia-basic-2fa.

After a more thorough read, it seems like this update does not require any change on our side. The new update allows reverse proxies to use a new query parameter /verify?auth=basic to use the Authorization header instead of Proxy-Authorization to when authenticating. We currently re-write the Authorization header as Proxy-Authorization, and it will continue to work, both across old and new versions.

from authelia-basic-2fa.

@ViRb3 so, looks like header is not sent in current main branch? (sorry for necropost)

for people who is searching in Google: example how to add WWW-Authenticate header, in Caddyfile

	@foo host foo.local
	handle @foo {
        forward_auth * foo_auth:8080 {
            uri /
            copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
            header_up Host {upstream_hostport}

            @bad status 4xx
            handle_response @bad {
                header ?WWW-Authenticate "Basic realm=\"foo\""
                respond {rp.status_text} {rp.status_code}
            }
        }
        reverse_proxy foo:8080
    }

from authelia-basic-2fa.