outposts: set cookies for a domain to authenticate an entire domain (#971)

* outposts: initial cookie domain implementation

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: add cookie domain setting

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/proxy: replace forward_auth_mode with general mode

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: rebuild proxy provider form

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/proxy: re-add forward_auth_mode for backwards compat

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: fix data.mode not being set

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* root: always set log level to debug when testing

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/proxy: use new mode attribute

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/proxy: only ingress /akprox on forward_domain

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/proxy: fix lint error

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: fix error on ProxyProviderForm when not using proxy mode

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: fix default for outpost form's type missing

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: add additional desc for proxy modes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outposts: fix service account permissions not always being updated

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outpost/proxy: fix redirecting to incorrect host for domain mode

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web: improve error handling for network errors

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outpost: fix image naming not matching main imaeg

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outposts/proxy: fix redirects for domain mode and traefik

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web: fix colour for paragraphs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/flows: fix consent stage not showing permissions correctly

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* website/docs: add domain-level docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* website/docs: fix broken links

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outposts/proxy: remove dead code

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/flows: fix missing id for #header-text

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

website/docs/outposts/ldap/ldap.md

@@ -31,24 +31,24 @@ ldapsearch \
 
 The following fields are currently sent for users:
 
-- cn: User's username
-- uid: Unique user identifier
-- name: User's name
-- displayName: User's name
-- mail: User's email address
-- objectClass: A list of these strings:
+- `cn`: User's username
+- `uid`: Unique user identifier
+- `name`: User's name
+- `displayName`: User's name
+- `mail`: User's email address
+- `objectClass`: A list of these strings:
   - "user"
   - "organizationalPerson"
   - "goauthentik.io/ldap/user"
-- accountStatus: "active" if the account is active, otherwise "inactive"
-- superuser: "active" if the account is part of a group with superuser permissions, otherwise "inactive"
-- memberOf: A list of all DNs that the user is a member of
+- `accountStatus`: "active" if the account is active, otherwise "inactive"
+- `superuser`: "active" if the account is part of a group with superuser permissions, otherwise "inactive"
+- `memberOf`: A list of all DNs that the user is a member of
 
 The following fields are current set for groups:
 
-- cn: The group's name
-- uid: Unique group identifier
-- objectClass: A list of these strings:
+- `cn`: The group's name
+- `uid`: Unique group identifier
+- `objectClass`: A list of these strings:
   - "group"
   - "goauthentik.io/ldap/group"
 

website/docs/outposts/proxy/forward_auth.mdx

@@ -1,31 +1,36 @@
 ---
-title: Proxy Outpost
+title: Forward auth
 ---
 
-The proxy outpost sets the following headers:
+Using forward auth uses your existing reverse proxy to do the proxying, and only uses the
+authentik outpost to check authentication and authoirzation.
 
-```
-X-Auth-Username: akadmin # The username of the currently logged in user
-X-Forwarded-Email: root@localhost # The email address of the currently logged in user
-X-Forwarded-Preferred-Username: akadmin  # The username of the currently logged in user
-X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
-```
+To use forward auth instead of proxying, you have to change a couple of settings.
+In the Proxy Provider, make sure to use one of the Forward auth modes.
 
-Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
+## Single application
 
-If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
+Single application mode works for a single application hosted on its dedicated subdomain. This
+has the advantage that you can still do per-application access policies in authentik.
 
-# HTTPS
+## Domain level
 
-The outpost listens on both 4180 for HTTP and 4443 for HTTPS.
+To use forward auth instead of proxying, you have to change a couple of settings.
+In the Proxy Provider, make sure to use the *Forward auth (domain level)* mode.
 
-:::warning
-If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
-:::
+This mode differs from the *Forward auth (single application)* mode in the following points:
+- You don't have to configure an application in authentik for each domain
+- Users don't have to authorize multiple times
 
-# Forward auth
+There are however also some downsides, mainly the fact that you **can't** restrict individual
+applications to different users.
 
-To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to enable `Enable forward-auth mode` on the provider.
+The only configuration difference between single application and domain level is the host you specify.
+
+For single application, you'd use the domain which the application is running on, and only /akprox
+is redirect to the outpost.
+
+For domain level, you'd use the same domain as authentik.
 
 ## Nginx
 
@@ -42,8 +47,8 @@ import TabItem from '@theme/TabItem';
 
 ```
     location /akprox {
-        proxy_pass http://*ip of your outpost*:4180;
-        error_page 401 = @akprox_signin;
+        proxy_pass          http://*ip of your outpost*:4180;
+        error_page          401 = @akprox_signin;
         proxy_set_header    X-Forwarded-Host $http_host;
         auth_request_set    $auth_cookie $upstream_http_set_cookie;
         add_header          Set-Cookie $auth_cookie;

website/docs/outposts/proxy/proxy.md

@@ -0,0 +1,24 @@
+---
+title: Proxy Outpost
+---
+
+The proxy outpost sets the following headers:
+
+```
+X-Auth-Username: akadmin # The username of the currently logged in user
+X-Forwarded-Email: root@localhost # The email address of the currently logged in user
+X-Forwarded-Preferred-Username: akadmin  # The username of the currently logged in user
+X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
+```
+
+Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
+
+If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
+
+# HTTPS
+
+The outpost listens on both 4180 for HTTP and 4443 for HTTPS.
+
+:::info
+If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
+:::