From da5c722cf8ba9255f247ffa0ef38fb76934fac99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Michaud?= Date: Sun, 3 May 2020 05:18:13 +0200 Subject: [PATCH] [DOCS] Introduce an FAQ and document forwarded authentication. (#962) * add FAQ docs section * add forwarded authentication section to deployments > supported proxies * apply suggestions from code review Co-authored-by: James Elliott Co-authored-by: Amir Zarrinkafsh --- docs/community/index.md | 2 +- docs/deployment/supported-proxies/index.md | 17 +++++++++++++++++ docs/faq.md | 11 +++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 docs/faq.md diff --git a/docs/community/index.md b/docs/community/index.md index 331354543..b114f41b3 100644 --- a/docs/community/index.md +++ b/docs/community/index.md @@ -1,7 +1,7 @@ --- layout: default title: Community -nav_order: 8 +nav_order: 9 has_children: true --- diff --git a/docs/deployment/supported-proxies/index.md b/docs/deployment/supported-proxies/index.md index a58589dcd..51df1b930 100644 --- a/docs/deployment/supported-proxies/index.md +++ b/docs/deployment/supported-proxies/index.md @@ -33,6 +33,23 @@ The target URL can be provided using one of the following ways: In the case of Traefik, these headers are automatically provided and therefore don't appear in the configuration examples. +## How can the backend be aware of the authenticated users? + +The only way Authelia can share information about the authenticated user currently is through the use of two HTTP headers: +`Remote-User` and `Remote-Groups`. +Those headers are returned by Authelia on requests to `/api/verify` and must be forwarded by the reverse proxy to the backends +needing them. +Please note that the backend must support the use of those headers to leverage that information, many +backends still don't (and probably won't) support it. However, we are working on solving this issue with OpenID Connect/OAuth2 +which is a widely adopted open standard for access delegation. + +So, if you're developing your own application, you can read those headers and use them. If you don't own the codebase of the +backend, you need to check whether it supports this type of authentication or not. If it does not, you have three options: + +1. Enable authentication on the backend and make your users authenticate twice (not user-friendly). +2. Completely disable the authentication of your backend. This works only if all your users share the same privileges in the backend. +3. Many applications support OAuth2 so the last option would be to just wait for Authelia to be an OpenID Connect provider (https://github.com/authelia/authelia/issues/189). + ## Redirection to the login portal The endpoint `/api/verify` has different behaviors depending on whether diff --git a/docs/faq.md b/docs/faq.md new file mode 100644 index 000000000..bde0cb872 --- /dev/null +++ b/docs/faq.md @@ -0,0 +1,11 @@ +--- +layout: default +title: FAQ +nav_order: 8 +--- + +# Frequently asked questions + +## How can the backend be aware of the authenticated users? + +This question is solved [here](https://docs.authelia.com/deployment/supported-proxies/#how-can-the-backend-be-aware-of-the-authenticated-users). \ No newline at end of file