chatgpt-web-dev/chatgpt-web

Allowing Custom SSO Auth Header

Closed this issue · 2 comments

dohsimpson commented

Amazing project! I'm very thrilled to be trying out the new SSO Auth Header feature.

I noticed a small hiccup when integrating with Athelia:

Athelia uses the Remote-User and Remote-Email instead of X-Email as auth header returned to reverse proxy: https://www.authelia.com/integration/trusted-header-sso/introduction/#response-headers

This means that the SSO won't work out of the box with Authelia.

Adding a new env parameter for header name would provide this flexibility.

BobDu commented

Thank you for your feedback. In fact, using the following configuration should work properly.

## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /authelia;

## Set the $target_url variable based on the original request.

## Comment this line if you're using nginx without the http_set_misc module.
set_escape_uri $target_url $scheme://$http_host$request_uri;

## Uncomment this line if you're using NGINX without the http_set_misc module.
# set $target_url $scheme://$http_host$request_uri;

## Save the upstream response headers from Authelia to variables.
auth_request_set $email $upstream_http_remote_email;

## Inject the response headers from the variables into the request made to the backend.
proxy_set_header X-Email $email;

## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 =302 https://auth.example.com/?rd=$target_url;

Different from the examples in Authelia's documentation,
it uses proxy_set_header X-Email $email; instead of proxy_set_header Remote-Email $email;.

https://www.authelia.com/integration/proxies/nginx/#authelia-authrequestconf

dohsimpson commented

This would be an elegant solution for Nginx reverse proxy user, thanks for sharing!

My use case is a bit different, I'm using Kubernetes + nginx ingress controller, which has a more convoluted syntax and less documentation on this topic.

In case it helps someone, here's how to configure nginx ingress annotations to pass X-Email in addition to Remote-Email:

nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-snippet: |
  proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $email $upstream_http_remote_email;
  proxy_set_header X-Email $email;

@BobDu would you consider accepting a PR to make the auth header configurable, I feel that this could be beneficial for people with different proxy setups.

  • 👍1