Comments (10)
I am also looking for exactly this and am actually considering switching to a different solution if it doesn't exist.
The OP's feature request wasn't no. If some additional context is given that would help identify the feature expected, I'd be willing to spend some time getting something like this to work. Additionally there have been multiple ideas discussed here.
The specific concern I have is how should a request like this actually be authorized, is it based on only the criteria of the endpoint itself? Or is it expected the ACL also be taken into account? I feel like there is a lot of room here for misconfiguration and misunderstandings. If you'd like you can reply here or chat on our matrix server/discord server if that's easier.
The most logical approach I can see without making it hard to maintain is:
- A new endpoint is created called
/api/verify/advanced
or/api/verify/custom
. - The endpoint by default uses the
default_policy
unless it'sdeny
in which case it usestwo_factor
. - The endpoint accepts multiple query arguments:
- Action Arguments:
- policy: optional, specifies a policy to override the
default_policy
, must beone_factor
, ortwo_factor
.
- policy: optional, specifies a policy to override the
- Criteria Arguments (each item in the list must match, logical AND):
- domain: required, specifies the domain the request is for similar to the domains endpoint
- users/groups: optional, specifies a comma delimited list of user and group names that are authorized, performed as a logical OR (i.e. users=john&groups=admin,dev would allow either
john
OR anyone who's a member ofadmin
ordev
. - networks: a list of NAMED access control networks that are allowed (least important and most likely one to be difficult to implement).
- Action Arguments:
- The endpoint will not be compatible with
subject
(other than what is specified above),methods
orresources
rule. - The endpoint will not take into account any other access control rule.
from authelia.
Oh, btw, the way Traefik does authentication from version 1.4 (unsupported before 1.4) is that if it is a 2XX error code, it continues, otherwise it returns the authentication server's response, so to get Traefik working with Authelia, an nginx proxy layer has to be running which converts 401 responses to 302 forwards.
from authelia.
Hello @SerialVelocity, I don't get exactly what you are trying to solve here. Is it the fact that the nginx block is not automatically generated for you or any issue while authenticating some user by his/her group?
Btw, Authelia is not meant to be bound to any reverse proxy so it is expected that Authelia's container does not generate the proxy block for nginx in particular and that you should convert the response in each specific proxy (be it nginx, Traefik or any other).
from authelia.
Can you please clarify the title and/or split the ticket for treating the issues separately?
Thank you very much for the feedback btw. I'd be glad to know if you already use Authelia in any way?
from authelia.
So, it would be nice to have an endpoint like /verify-group
that just checks you are part of the specified group. This then allows the reverse proxy to handle which services are accessible to which groups rather than having to modify and bounce Authelia. (Maybe /verify-user
would also be good if I want a service to only be accessible by one user)
Main use-case: Without Authelia, all of my routing config lives in the service configuration. For instance, to add things to my NGINX front-door, I add virtual.host
and virtual.port
tags (see here). To add things to my traefik "middle-door", I add traefik.enable
, traefik.port
, and traefik.frontend.rule
tags (see here). It would be nice if I could add another tag (something like virtual.auth.group
) which I could automatically convert into an nginx "auth" block (using docker-gen, I don't expect Authelia to handle the configuration generation).
Hope this makes it clearer.
You can ignore the second post, I already created a ticket about that :)
from authelia.
Hello @SerialVelocity, I agree that defining specific endpoints for that matter would allow you to handle the access control at the level of the proxy but unfortunately it does not prevent you to change Authelia's config anyway since Authelia needs at least the global domain to create correct session cookies. Isn't it a problem for you?
from authelia.
Things like the global domain are unlikely to change and therefore are fine to set in config. Variables like that are usually thought about as constants.
Containers change more often. The main use-case is to centralise the subdomain configuration so when adding a new subdomain you don't need to change NGINX, DNS, auth, etc.
Another way of putting this is, things you define once for Authelia (like global domain) as fine. Things that you define once per subdomain/path are the issue.
An alternative way of doing this, is to add support for backends. For instance, traefik supports many backends ranging from file to Kubernetes or Rancher. That is a huge investment though so probably not worth it.
from authelia.
I see your point. I will implement a new endpoint where one could combine parameters 'users' and 'groups' in the query.
With nginx, it would give you the same level of granularity for access control as the new embedded per-resource mechanism I merged yesterday (not true for Traefik since the forwarded auth request is a global config applying to all the frontends). So I guess after the new endpoint is implemented, one could go one way or the other simply depending on the use case.
from authelia.
was this ever implemented? oauth2_proxy deals with that in a very nice way - you just append ?allowed_groups=admin to /auth endpoint, basically the same as OP said
from authelia.
I am also looking for exactly this and am actually considering switching to a different solution if it doesn't exist.
from authelia.
Related Issues (20)
- Upgrading from v4.38 beta 2 to v4.38.6 failed HOT 1
- Authelia shows "Wrong credentials"-Info when a user was banned HOT 2
- Bypass all domains without apply the two-factor rules HOT 3
- Allow specifying cookies config with environment variables HOT 4
- Connection impossible HOT 5
- wrong error message for old config of "host" value HOT 2
- Authelia should fail to start with a clear error message when it encounters invalid YAML configuration HOT 2
- MFA not loaded, if oidc has authorization_policy with two_factor HOT 3
- Not every error needs a stacktrace HOT 2
- Missing trailing slash can lead to Authelia showing empty window HOT 15
- Server Authz Endpoints invalid configuration example HOT 2
- Using AWS' SES for password reset emails errors on latest version HOT 3
- authelia-v4.38.7-public_html.tar.gz has changed, was this intentional? HOT 4
- HA-Proxy Ingress: *.cluster.local is not under the protected domain HOT 4
- settings: identity verification hangs indefinitely instead of showing error HOT 4
- legacy totp authenticators on an account will still be considered and will block / fail for users when totp is globally disabled HOT 2
- Gmail OAuth client as notifier HOT 4
- Upgrading from 4.37.7 to 4.38.8 got the following error while trying to compose up HOT 3
- "authelia config validate" should return 1 in case of invalid config HOT 1
- Password reset fails with PUID set HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authelia.