Forward Authentication Usage

[dotsam]

I was hoping to be able to use the Forward Authentication feature with nginx's auth_request module to provide authentication for some simple web services. But then I realized that the "Forward Auth" and "Auth Request" endpoints might not be compatible.

I switched to doing a quick test with Caddy, whose forward_auth would seem to be compatible, but still ran in to issues.

Reading the manual page more closely and looking at the code, it looks like rauthy only supports authentication to the /auth/v1/oidc/forward_auth endpoint with the Authentication header, and not with a cookie, is that correct? If this is the case, is there any way to have an in-browser flow for authentication and authorization?

I was trying to avoid having to also run oauth2-proxy, but it seems like that is probably the better way to go for providing authentication to these services.

[sebadob]

But then I realized that the "Forward Auth" and "Auth Request" endpoints might not be compatible.

What exactly do you mean with that? Which "Auth Request" endpoint?

Reading the manual page more closely and looking at the code, it looks like rauthy only supports authentication to the /auth/v1/oidc/forward_auth endpoint with the Authentication header, and not with a cookie, is that correct?

That's correct. It expects a JWT token in the Authentication header. When you would like to be able to do this with a cookie, do you mean some random cookie you can configure the name for via config, or Rauthys own session cookie? Because, this will not work, unless you host your app in combination with Rauthy either on the exact same origin and change the cookie mode, or do path rewrites via proxy. Otherwise, the browser would not send the cookie.

It would be possible to accept "some cookie name" via config and do an additional lookup for a token in that cookie as well, if that's what would fix your problem.

If this is the case, is there any way to have an in-browser flow for authentication and authorization?

To achieve what exactly? Because yes there is of course.

I was trying to avoid having to also run oauth2-proxy, but it seems like that is probably the better way to go for providing authentication to these services.

Yeah oauth2-proxy has it's own issues, but it's pretty good, as long as you only use a single IdP.

So you basically would like to have the same functionality like oauth2-proxy, that you can use this endpoint even with the oldest legacy applications where you cannot even set a token in the header and have no access to any UI code? I would have to think about a solution. It would basically require an additional /callback endpoint on Rauthy's side, which you then would have to route requests to on the same domain that your app runs on, and then have a path rewrite, to make the cookie work.

[dotsam]

Yes, I'm looking for the same sort of reverse proxy support that Authelia offers (https://www.authelia.com/reference/guides/proxy-authorization/)

What exactly do you mean with that? Which "Auth Request" endpoint?

There seem to be two main implementations supported by proxies, "Forward Auth" and "Auth Request", with the only real difference being that they use different headers to extract information about the original request.

I would have to think about a solution. It would basically require an additional /callback endpoint on Rauthy's side, which you then would have to route requests to on the same domain that your app runs on, and then have a path rewrite, to make the cookie work.

Yes, this is how Authelia (https://www.authelia.com/integration/proxies/nginx/) and Authentik (https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx) work, the reverse proxy forwards a mirror of the request along with the original URL as a query parameter or header, and if auth is needed, performs it, and then redirects back to the original URI.

The more I look at this, the more work it seems like to implement in rauthy when oauth2-proxy would probably work for my needs, but I think it would also build out the capabilities of rauthy to match and exceed some of these other solutions.

[sebadob]

I did not have too much time right now to read into it, and when you search fot it, you only get the most basic guides and not detailed information about the internals, but I guess I got it. The AuthRequest is an nginx specific thing. I've not used nginx in quite a while. In the end, they check either the Authorization header, which Rauthy already supports, and / or a cookie. It's basically the same thing, just different names and slightly different values, which actually is pretty annoying. ^^ The cookie would need to be added into the mix. This would not be too much work actually.

I guess it would already work with nginx if you could set the token in the header, because there's nothing too special to these endpoints. The only 2 things that Rauthy would need to add are:

• A custom callback endpoint which can set the cookie
• Additional checks for the header values some proxies send along

And then it would work I guess. Everything else is already implemented. The downside currently is, that you need to have the JWT token in the Authorization header, which needs at least some control over the client side. With a cookie, it would be fully independent.

No one needed anything else so far, but I can have a look into this a bit more and maybe I will just add an implementation for it.

[dotsam]

Implemented in #1053