Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forward-Auth with Intercept header authentication not behaving like documented #12564

Open
samip5 opened this issue Jan 5, 2025 · 0 comments
Open

Forward-Auth with Intercept header authentication not behaving like documented #12564

samip5 opened this issue Jan 5, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@samip5
Copy link
Contributor

samip5 commented Jan 5, 2025
edited
Loading

Describe the bug
It seems that when you have configured single app forward auth, to use Intercept header authentication, and the header is either missing or invalid, it just shows an 401.

To Reproduce
Steps to reproduce the behavior:

  1. Create a new single forward auth app
  2. Use ingress-nginx and configure the app to be secured
  3. Try to browse to the app url
  4. See the 401 instead of normal login page

Expected behavior
I would have expected it to behave like documented which is when Intercept header authentication is enabled, authentik will intercept the authorization header. If the authorization header value is invalid, an error response will be shown with a 401 status code. Requests without an authorization header will still be redirected to the standard login flow.

I would have expected it to behave more like Authelia where it would also show an password prompt if it's asking for basic auth.

Version and Deployment (please complete the following information):

  • authentik version: 2024.12.1
  • Deployment: Helm

Additional context

The ingress manifest used:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dh
  namespace: networking
  annotations:
    external-dns.alpha.kubernetes.io/target: "<snip>"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/auth-url: |-
      http://ak-outpost-authentik-embedded-outpost.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
    nginx.ingress.kubernetes.io/auth-response-headers: |-
      Set-Cookie,X-authentik-username,X-authentik-groups
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Host $http_host;
    nginx.ingress.kubernetes.io/server-snippet: |
      proxy_ssl_name <snip>.fi;
      proxy_ssl_server_name on;
spec:
  ingressClassName: external-nginx
  rules:
    - host: "<snip>.fi"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: dh
                port:
                  number: 443
  tls:
    - hosts:
        - "<snip>.fi"
@samip5 samip5 added the bug Something isn't working label Jan 5, 2025
@samip5 samip5 changed the title Forward-Auth with Basic-Auth not behaving like documented Forward-Auth with Intercept header authentication not behaving like documented Jan 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@samip5