Middleware with parameters to require subject/ldap-group about authelia HOT 5 CLOSED

Keen to understand your thinking here wouldn't a separate middleware for each service be much more overhead to manage rather than ACLs?

Maybe I'm misunderstanding but I don't see why an ACL with a subject limited to groups wouldn't satisfy this requirement?

from authelia.

Well first maybe the context I am a mere self-hosted addict. As such I don’t expect that many groups. But it is also the place where you have to define them. What I find so amazing about working with authelia en docker-traefik is the ability to add middleware domain and everything from a single in my case docker compose file. On these I already have middleware for authelia set. Let’s say I host around 35 different services of which i would want to keep 30 to myself but set open some others for say friends or otherwise. The only thing I would need to do is inline the group dependency all together or create one more default middleware and assign it to those containers. If I were to do it with the ACLs I’d have to keep track of the all domains (and should they grow in groups or public domains) I have to double manage those in different configs. This is also the reason why I went away from nginx and caddy. They were all great but the best part is with traefik once again no additional configs aside from the base.

I’d be happy to answer further questions.

from authelia.

I'd planned on commenting on this. I have a few apprehensions, and unfortunately I don't feel like they are small hurdles. The specific ones I can recall right now are:

1. Disconnect between ACLs and the Middleware:
   1. How would someone manage the disconnect between ACLs and the parameters?
   2. How are we going to avoid users not understanding how it works?
   3. Couldn't users theoretically specify ACLs that match the request that also include a username/group criteria and wouldn't this lead to fairly confusing outcomes when specified at the same time?
2. How would we implement this in a way that will be compatible with the Traefik Forward Auth middleware but also that will prevent well crafted request from adjusting the auth requirements on the Envoy ExtAuthz filter considering it just appends the entire path to the request? While we're adding implementation specific configurations I think this is quite a divergent feature.

from authelia.

1.1. I think the ACL should always have priority over what comes in through the middleware.
1.2. We can just side document it, it's not like this should be the way or anything but for those that need/want to do it this way I don't find it weird. If you want to promote ACLs then by all means keep doing that!
1.3 If the request is in the ACL always use the ACL you can think of merging them but that just adds difficulty...
2. To be fair I have never used envoy nor was familiar with it. We could imagine making this new behavior disabled by default and let people enable it only when they want to and know that is is compatible with their network infrastructure.

from authelia.

With the release of 4.38, the team has been discussing this feature request again.

We're relatively confident that safely implementing this feature across the different applications of Authelia is non-trivial and doesn't provide an overly large benefit to a user/administrator.

As such we are going to convert this to a discussion so users can vote to see if our views are aligned with those of our userbase, if someone wants to pick up and attempt to design this we welcome you to do so but it would be worthwhile having some open dialogue with the team to find a potential way forward.

from authelia.