Comments (11)
@ViRb3 I mention you so you will for sure get a notification. :)
from authelia-basic-2fa.
Hey there, thanks for taking interest in this project.
If you are following the official Authelia proxy integration guide, you should have a statement like this (nginx):
error_page 401 =302 https://auth.website.com/?rd=$target_url;
This will redirect the user to the Authelia login page if they are not authenticated. By merging your PR, two things will happen;
- The header won't travel back to the user unless explicitly defined in the reverse proxy.
- If the header is set to travel back to the user, it will prompt basic auth, conflicting with the redirection statement above.
Since for most use cases we want people to use the Authelia login portal, I don't think that it's a good idea to add this header in authelia-basic-2fa. Instead, it can be added as needed in the reverse proxy configuration. Here's how I match the user agent to decide whether the user should be redirected (if using a browser) or basic auth should be prompted (VLC, etc.):
location @basic_auth_prompt {
internal;
add_header "WWW-Authenticate" "Basic realm=\"Restricted Content\"" always;
return 401;
}
location / {
if ($http_user_agent ~* "vlc|kodi") {
error_page 401 = @basic_auth_prompt;
}
...
}
Please let me know if there's a use case that I'm not accounting for.
from authelia-basic-2fa.
from authelia-basic-2fa.
Hey. As I mentioned before, I don't have any experience with Traefik, so unfortunately I can't help with configuring it. What I'm trying to say, though, is that you have to choose one of two responses to unauthorized access:
- Redirect to login page (302)
- Show basic auth prompt (401 + header)
You can't have both at the same time, or at least I'm unaware how. If you force the header from authelia-basic-2fa
, then you can't have redirection. So, in my opinion, the best solution is to delegate the redirect/basic auth decision to the reverse proxy, like I described above. Again, I don't know how to do this in Traefik, but it should be possible. You are always welcome to use nginx instead or to contribute documentation on how to set up Traefik. If you have a better idea I am all ears.
from authelia-basic-2fa.
Hey. As I mentioned before, I don't have any experience with Traefik, so unfortunately I can't help with configuring it. What I'm trying to say, though, is that you have to choose one of two responses to unauthorized access:
- Redirect to login page (302)
- Show basic auth prompt (401 + header)
You can't have both at the same time, or at least I'm unaware how. If you force the header from
authelia-basic-2fa
, then you can't have redirection. So, in my opinion, the best solution is to delegate the redirect/basic auth decision to the reverse proxy, like I described above. Again, I don't know how to do this in Traefik, but it should be possible. You are always welcome to use nginx instead or to contribute documentation on how to set up Traefik. If you have a better idea I am all ears.
Even without the prompt, I'm not redirected to the auth, via the container and Traefik so cannot comment on that.
from authelia-basic-2fa.
There must be something wrong with your setup, redirection works as expected for me with nginx. You will probably have to tell Traefik to handle 401 as a redirection to the portal.
from authelia-basic-2fa.
That's entirely possible, but point is that it should be implemented, but could be a passeable parameter for it or something like that so a user can choose it, or a ENV variable to set which one is used.
from authelia-basic-2fa.
It seems that there is going to be support for this in authelia directly.
Ref: authelia/authelia/pull/1563
from authelia-basic-2fa.
Thanks for the heads up! I'll make sure to update this proxy to support that.
from authelia-basic-2fa.
After a more thorough read, it seems like this update does not require any change on our side. The new update allows reverse proxies to use a new query parameter /verify?auth=basic
to use the Authorization
header instead of Proxy-Authorization
to when authenticating. We currently re-write the Authorization
header as Proxy-Authorization
, and it will continue to work, both across old and new versions.
from authelia-basic-2fa.
@ViRb3 so, looks like header is not sent in current main branch? (sorry for necropost)
authelia-basic-2fa/clientHandler.go
Line 172 in 7a3e0f8
for people who is searching in Google: example how to add WWW-Authenticate header, in Caddyfile
@foo host foo.local
handle @foo {
forward_auth * foo_auth:8080 {
uri /
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
header_up Host {upstream_hostport}
@bad status 4xx
handle_response @bad {
header ?WWW-Authenticate "Basic realm=\"foo\""
respond {rp.status_text} {rp.status_code}
}
}
reverse_proxy foo:8080
}
from authelia-basic-2fa.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authelia-basic-2fa.