This repository has been archived by the owner on Jun 12, 2024. It is now read-only.
feat(auth): support for forwarded auth provider #874
+266
−61
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
What this PR does / why we need it:
This PR introduces a new authentication provider, called "ForwardAuth". It's written with forward-authentication supporting reverse proxies (like nginx or traefik) and accomodanting authentication apps (like authelia, authentik and probably many more).
With this changes, if homebox is configured in one of Fw-Auth setups, it will automatically sign in (and register, depending on configuration) user forwarded by initial authentication backend, thus removing necessity of logging in twice.
This is done by special header (also configurable, by default
Remote-Email
) which tells homebox, that authentication was already be done, and it can trust that given email is already valid. Of course, a malicious user, my try to send this user, by themself trying to impersonate the real one - but in properly configured fw-auth setups it shouldn't be possible. Anyway, to avoid any mistakes, there is another configurable field, defining list of IPs which are allowed to be source of fw-auth traffic. By default it's empty, meaning every source is blacklisted - thus feature is disabled. This also protects installations which doesn't need this feature, to not accidentally expose themselves.Which issue(s) this PR fixes:
Implements #270
Testing
I deployed updated code to my cluster, and tested everything with authelia.
Release Notes