providers/proxy: add initial header token auth (#4421)

* initial implementation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * check for openid/profile claims Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include jwks sources in proxy provider Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add web ui for jwks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only show sources with JWKS data configured Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix introspection tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start basic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add basic auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs, update admonitions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add client_id to api, add tab for auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-13 16:22:03 +01:00
parent 31c6ea9fda
commit cd12e177ea
54 changed files with 830 additions and 162 deletions
--- a/website/developer-docs/api/making-schema-changes.md
+++ b/website/developer-docs/api/making-schema-changes.md
@ -18,6 +18,6 @@ The web client is used by the web-interface and web-FlowExecutor to communicate

 Since the client is normally distributed as an npm package, running `make gen-client-ts` will overwrite the locally installed client with the newly built one.

-:::warning
+:::caution
 Running `npm i` in the `/web` folder after using `make gen-client-ts` will overwrite the custom client and revert to the upstream client.
 :::
--- a/website/developer-docs/blueprints/v1/tags.md
+++ b/website/developer-docs/blueprints/v1/tags.md
@ -199,7 +199,7 @@ example:

 Full example:

-:::warning
+:::caution
 Note that an `!Enumeration` tag's iterable can never be an `!Item` or `!Value` tag with a depth of `0`. Minimum depth allowed is `1`. This is because a depth of `0` refers to the `!Enumeration` tag the `!Item` or `!Value` tag is in, and an `!Enumeration` tag cannot iterate over itself.
 :::

--- a/website/docs/installation/configuration.md
+++ b/website/docs/installation/configuration.md
@ -297,6 +297,6 @@ Defaults to 4.

 To modify additional settings further than the options above allow, you can create a custom python file and mount it to `/data/user_settings.py`. This file will be loaded on startup by both the server and the worker. All default settings are [here](https://github.com/goauthentik/authentik/blob/main/authentik/root/settings.py)

-:::warning
+:::caution
 Using these custom settings is not supported and can prevent your authentik instance from starting. Use with caution.
 :::
--- a/website/docs/policies/expression.mdx
+++ b/website/docs/policies/expression.mdx
@ -64,7 +64,7 @@ import Objects from "../expressions/_objects.md";

    -   `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes)

-        :::warning
+        :::caution
        When a policy is executed in the context of a flow, this will be set to the user initiaing request, and will only be changed by a `user_login` stage. For that reason, using this value in authentication flow policies may not return the expected user. Use `context['pending_user']` instead; User Identification and other stages update this value during flow execution.

        If the user is not authenticated, this will be set to a user called _AnonymousUser_, which is an instance of [authentik.core.models.User](https://docs.djangoproject.com/en/4.1/ref/contrib/auth/#django.contrib.auth.models.User) (authentik uses django-guardian for per-object permissions, [see](https://django-guardian.readthedocs.io/en/stable/)).
--- a/website/docs/providers/proxy/header_authentication.md
+++ b/website/docs/providers/proxy/header_authentication.md
@ -0,0 +1,50 @@
+---
+title: Header authentication
+---
+
+### Send HTTP Basic authentication
+
+Proxy providers have the option to _Send HTTP-Basic Authentication_ to the upstream authentication. When the option in the provider is enabled, two attributes must be specified. These attributes are the keys of values which can be saved on a user or group level that contain the credentials.
+
+For example, with _HTTP-Basic Username Key_ set to `app_username` and _HTTP-Basic Password Key_ set to `app_password`, these attributes would have to be set either on a user or a group the user is member of:
+
+```yaml
+app_username: admin
+app_password: admin-password
+```
+
+These credentials are only retrieved when the user authenticates to the proxy.
+
+If the user does not have a matching attribute, authentik falls back to using the user's email address as username, and the password will be empty if not found.
+
+### Receiving HTTP Basic authentication
+
+:::info
+Requires authentik 2023.1
+:::
+
+Proxy providers can receive HTTP basic authentication credentials. The password is expected to be an _App password_, as the credentials are used internally with the [OAuth2 machine-to-machine authentication flow](../oauth2/client_credentials.md).
+
+Access control is done with the policies bound to the application being accessed.
+
+If the received credentials are invalid, a normal authentication flow is initiated. If the credentials are correct, the Authorization header is removed to prevent sending the credentials to the proxied application.
+
+:::danger
+It is **strongly** recommended that the client sending requests with HTTP-Basic authentication persists the cookies returned by the outpost. If this is not the case, every request must be authenticated independently, which will increase load on the authentik server and encounter a performance hit.
+:::
+
+### Receiving HTTP Bearer authentication
+
+:::info
+Requires authentik 2023.1
+:::
+
+Proxy providers can receive HTTP bearer authentication credentials. The token is expected to be a JWT token issued for the proxy provider. This is described [here](../oauth2/client_credentials.md), using the _client_id_ value shown in the admin interface. Both static and JWT authentication methods are supported.
+
+Access control is done with the policies bound to the application being accessed.
+
+If the received credentials are invalid, a normal authentication flow is initiated. If the credentials are correct, the Authorization header is removed to prevent sending the credentials to the proxied application.
+
+:::caution
+It is recommended that the client sending requests with HTTP-Bearer authentication persists the cookies returned by the outpost. For bearer authentication this has a smaller impact than for Basic authentication, but each request is still verified with the authentik server.
+:::
--- a/website/docs/providers/proxy/index.md
+++ b/website/docs/providers/proxy/index.md
@ -24,9 +24,12 @@ The proxy outpost sets the following user-specific headers:

    The hashed identifier of the currently logged in user.

-Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
+Additionally, you can set `additionalHeaders` attribute on groups or users to set additional headers:

-If you enable _Set HTTP-Basic Authentication_ option, the HTTP Authorization header is being set.
+```yaml
+additionalHeaders:
+    X-test-header: test-value
+```

 Besides these user-specific headers, some application specific headers are also set:

--- a/website/integrations/services/home-assistant/index.md
+++ b/website/integrations/services/home-assistant/index.md
@ -12,7 +12,7 @@ From https://www.home-assistant.io/
 Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server.
 :::

-:::warning
+:::caution
 You might run into CSRF errors, this is caused by a technology Home-assistant uses and not authentik, see [this GitHub issue](https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477).
 :::

--- a/website/integrations/services/jellyfin/index.md
+++ b/website/integrations/services/jellyfin/index.md
@ -20,7 +20,7 @@ Jellyfin does not have any native external authentication support as of the writ
 Currently there are two plugins for Jelyfin that provide external authenticaion, an OIDC plugin and an LDAP plugin. This guide focuses on the use of the LDAP plugin.
 :::

-:::warning
+:::caution
 An LDAP outpost must be deployed to use the Jellyfin LDAP plugin
 :::

--- a/website/integrations/services/nextcloud/index.md
+++ b/website/integrations/services/nextcloud/index.md
@ -12,11 +12,11 @@ From https://en.wikipedia.org/wiki/Nextcloud
 Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.
 :::

-:::warning
+:::caution
 This setup only works, when Nextcloud is running with HTTPS enabled. See [here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwriteprotocol#overwrite-parameters) on how to configure this.
 :::

-:::warning
+:::info
 In case something goes wrong with the configuration, you can use the URL `http://nextcloud.company/login?direct=1` to log in using the built-in authentication.
 :::

--- a/website/integrations/services/node-red/index.md
+++ b/website/integrations/services/node-red/index.md
@ -14,7 +14,7 @@ Node-RED is a programming tool for wiring together hardware devices, APIs and on
 It provides a browser-based editor that makes it easy to wire together flows using the wide range of nodes in the palette that can be deployed to its runtime in a single-click.
 :::

-:::warning
+:::caution
 This requires modification of the Node-RED settings.js and installing additional Passport-js packages, see [Securing Node-RED](https://nodered.org/docs/user-guide/runtime/securing-node-red#oauthopenid-based-authentication) documentation for further details.
 :::

--- a/website/integrations/services/paperless-ng/index.md
+++ b/website/integrations/services/paperless-ng/index.md
@ -12,7 +12,7 @@ Modified from https://github.com/jonaswinkler/paperless-ng
 Paperless-ng is an application that indexes your scanned documents and allows you to easily search for documents and store metadata alongside your documents. It was a fork from the original Paperless that is no longer maintained.
 :::

-:::warning
+:::caution
 This setup uses HTTP headers to log you in simply by providing your username as a header. Your authentik username and Paperless username MUST match. If you intend for this to be accessed externally, this requires careful setup of your reverse proxy server to not forward these headers from other sources.

 The author of Paperless-ng recommends you do not expose Paperless outside your network, as it was not designed for that. Instead, they "recommend that if you do want to use it, run it locally on a server in your own home."
--- a/website/integrations/services/pfsense/index.md
+++ b/website/integrations/services/pfsense/index.md
@ -59,7 +59,7 @@ In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` t

 ## pfSense unsecure setup (without SSL)

-:::warning
+:::caution
 This setup should only be used for testing purpose, because passwords will be sent in clear text to authentik.
 :::

--- a/website/integrations/services/proxmox-ve/index.md
+++ b/website/integrations/services/proxmox-ve/index.md
@ -12,7 +12,7 @@ From https://pve.proxmox.com/wiki/Main_Page
 Proxmox Virtual Environment is an open source server virtualization management solution based on QEMU/KVM and LXC. You can manage virtual machines, containers, highly available clusters, storage and networks with an integrated, easy-to-use web interface or via CLI. Proxmox VE code is licensed under the GNU Affero General Public License, version 3. The project is developed and maintained by Proxmox Server Solutions GmbH.
 :::

-:::warning
+:::caution
 This requires Proxmox VE 7.0 or newer.
 :::

--- a/website/integrations/services/qnap-nas/index.md
+++ b/website/integrations/services/qnap-nas/index.md
@ -38,7 +38,7 @@ Create a new service account for all of your hosts to use to connect
 to LDAP and perform searches. Make sure this service account is added
 to `ldap.searchGroup`.

-:::warning
+:::caution
 It seems that QNAP LDAP client configuration has issues with too long password.
 Max password length <= 66 characters.
 :::
@ -111,7 +111,7 @@ Attributes:
 Configure the following values and "Apply"
 ![qnap domain security](./qnap-ldap-configuration.png)

-:::warning
+:::caution
 With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values.
 :::

--- a/website/integrations/services/snipe-it/index.md
+++ b/website/integrations/services/snipe-it/index.md
@ -11,11 +11,11 @@ From https://snipeitapp.com
 A free open source IT asset/license management system.
 :::

-:::warning
+:::caution
 This setup assumes you will be using HTTPS as Snipe-It dynamically generates the ACS and other settings based on the complete URL.
 :::

-:::warning
+:::caution
 In case something goes wrong with the configuration, you can use the URL `http://inventory.company/login?nosaml` to log in using the
 built-in authentication.
 :::
--- a/website/integrations/services/truecommand/index.md
+++ b/website/integrations/services/truecommand/index.md
@ -14,7 +14,7 @@ e uptime and future planning. TrueCommand also identifies and pinpoints errors o
 me when resolving issues.
 :::

-:::warning
+:::caution
 This setup assumes you will be using HTTPS as TrueCommand generates ACS and Redirect URLs based on the complete URL.
 :::

--- a/website/integrations/services/ubuntu-landscape/index.md
+++ b/website/integrations/services/ubuntu-landscape/index.md
@ -12,7 +12,7 @@ From https://en.wikipedia.org/wiki/Landscape_(software)
 Landscape is a systems management tool developed by Canonical. It can be run on-premises or in the cloud depending on the needs of the user. It is primarily designed for use with Ubuntu derivatives such as Desktop, Server, and Core.
 :::

-:::warning
+:::caution
 This requires authentik 0.10.3 or newer.
 :::

--- a/website/integrations/services/vmware-vcenter/index.md
+++ b/website/integrations/services/vmware-vcenter/index.md
@ -12,11 +12,11 @@ From https://en.wikipedia.org/wiki/VCenter
 vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts.
 :::

-:::warning
+:::caution
 This requires authentik 0.10.3 or newer.
 :::

-:::warning
+:::caution
 This requires VMware vCenter 7.0.0 or newer.
 :::

@ -68,7 +68,7 @@ Create an application which uses this provider. Optionally apply access restrict

 Set the Launch URL to `https://vcenter.company/ui/login/oauth2`. This will skip vCenter's User Prompt and directly log you in.

-:::warning
+:::caution
 This Launch URL only works for vCenter < 7.0u2. If you're running 7.0u2 or later, set the launch URL to `https://vcenter.company/ui/login`
 :::

--- a/website/integrations/sources/apple/index.md
+++ b/website/integrations/sources/apple/index.md
@ -8,11 +8,11 @@ Allows users to authenticate using their Apple ID.

 ## Preparation

-:::warning
+:::caution
 An Apple developer account is required.
 :::

-:::warning
+:::caution
 Apple mandates the use of a [registered TLD](https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains), as such this source will not work with .local and other non-public TLDs.
 :::

--- a/website/sidebars.js
+++ b/website/sidebars.js
@ -64,6 +64,7 @@ module.exports = {
                    },
                    items: [
                        "providers/proxy/custom_headers",
+                        "providers/proxy/header_authentication",
                        "providers/proxy/forward_auth",
                    ],
                },