Comments (5)
Keen to understand your thinking here wouldn't a separate middleware for each service be much more overhead to manage rather than ACLs?
Maybe I'm misunderstanding but I don't see why an ACL with a subject limited to groups wouldn't satisfy this requirement?
from authelia.
Well first maybe the context I am a mere self-hosted addict. As such I don’t expect that many groups. But it is also the place where you have to define them. What I find so amazing about working with authelia en docker-traefik is the ability to add middleware domain and everything from a single in my case docker compose file. On these I already have middleware for authelia set. Let’s say I host around 35 different services of which i would want to keep 30 to myself but set open some others for say friends or otherwise. The only thing I would need to do is inline the group dependency all together or create one more default middleware and assign it to those containers. If I were to do it with the ACLs I’d have to keep track of the all domains (and should they grow in groups or public domains) I have to double manage those in different configs. This is also the reason why I went away from nginx and caddy. They were all great but the best part is with traefik once again no additional configs aside from the base.
I’d be happy to answer further questions.
from authelia.
I'd planned on commenting on this. I have a few apprehensions, and unfortunately I don't feel like they are small hurdles. The specific ones I can recall right now are:
- Disconnect between ACLs and the Middleware:
- How would someone manage the disconnect between ACLs and the parameters?
- How are we going to avoid users not understanding how it works?
- Couldn't users theoretically specify ACLs that match the request that also include a username/group criteria and wouldn't this lead to fairly confusing outcomes when specified at the same time?
- How would we implement this in a way that will be compatible with the Traefik Forward Auth middleware but also that will prevent well crafted request from adjusting the auth requirements on the Envoy ExtAuthz filter considering it just appends the entire path to the request? While we're adding implementation specific configurations I think this is quite a divergent feature.
from authelia.
1.1. I think the ACL should always have priority over what comes in through the middleware.
1.2. We can just side document it, it's not like this should be the way or anything but for those that need/want to do it this way I don't find it weird. If you want to promote ACLs then by all means keep doing that!
1.3 If the request is in the ACL always use the ACL you can think of merging them but that just adds difficulty...
2. To be fair I have never used envoy nor was familiar with it. We could imagine making this new behavior disabled by default and let people enable it only when they want to and know that is is compatible with their network infrastructure.
from authelia.
With the release of 4.38, the team has been discussing this feature request again.
We're relatively confident that safely implementing this feature across the different applications of Authelia is non-trivial and doesn't provide an overly large benefit to a user/administrator.
As such we are going to convert this to a discussion so users can vote to see if our views are aligned with those of our userbase, if someone wants to pick up and attempt to design this we welcome you to do so but it would be worthwhile having some open dialogue with the team to find a potential way forward.
from authelia.
Related Issues (20)
- wrong error message for old config of "host" value HOT 2
- Authelia should fail to start with a clear error message when it encounters invalid YAML configuration HOT 2
- MFA not loaded, if oidc has authorization_policy with two_factor HOT 3
- Not every error needs a stacktrace HOT 2
- Missing trailing slash can lead to Authelia showing empty window HOT 15
- Server Authz Endpoints invalid configuration example HOT 2
- Using AWS' SES for password reset emails errors on latest version HOT 3
- authelia-v4.38.7-public_html.tar.gz has changed, was this intentional? HOT 4
- HA-Proxy Ingress: *.cluster.local is not under the protected domain HOT 4
- settings: identity verification hangs indefinitely instead of showing error HOT 4
- legacy totp authenticators on an account will still be considered and will block / fail for users when totp is globally disabled HOT 2
- Gmail OAuth client as notifier HOT 4
- Upgrading from 4.37.7 to 4.38.8 got the following error while trying to compose up HOT 3
- "authelia config validate" should return 1 in case of invalid config HOT 1
- Password reset fails with PUID set HOT 2
- Troubles connecting to redis with secret HOT 4
- Authelia tries to get a non-existing 'memberof' attribute from groups in LLDAP backend HOT 1
- 3rd party authentication_backend HOT 2
- Authelia fails to run migrations on empty database HOT 3
- Networks rule not allowed as part of identity_providers.oidc.clients.authorization_policies.policy.rules HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authelia.