FR: SSO by Proxy authentication
Closed this issue · 2 comments
Describe the feature you would like to see.
It would be nice to allow authentication via an HTTP-header containing the username. This would allow using proxy authentication via sso providers like Authelia or Authentik and by this, it would also be possible to authenticate using ldap or oidc.
Describe the solution you'd like.
- New environment variables for:
- Whether the header authentication should be enabled
- The header containing the username of the user
- The header containing the email of the user
- Automatic account creation for new users, this can happen transparently
Additional context to this request.
Proxy authentication basically works like this:
- You put a proxy in front of your application
- This proxy does not let anything through to the application until the user authenticates with the proxy
- As soon as the user is authenticated, the proxy passes the traffic to the application including a header containing their username, email and whatever else you configure
- Authentication for apps like the browser extension can be handled by creating an API-token which can be used to authenticated to the api when no heder is present
OpenID Connect would also be a good option, but this is much simpler to implement.
Many other services do this as well, for example Paperless
and Firefly III
I'd really like to have some form of SSO, as I host many services for myself and don't like to sue different credentials for everything. And it should not be too complicated to implement 🙂 What do you think?
This is now supported in the latest version (v0.0.5). Related env vars are ENABLE_HTTP_REMOTE_USER and HTTP_REMOTE_USER_HEADER_NAME, more details in the docs.
There is also a demo setup in docker/examples/authelia-forward-auth that uses Authelia and Caddy.
Thanks! I can confirm it works with Authentik and Trafik :)