trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

providers/proxy: add token support for basic auth 

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-02-07 22:50:49 +01:00
parent 555b33c252
commit 3170b2f92c
No known key found for this signature in database
4 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
internal/outpost/proxyv2/application/auth.go
View File

@ -28,7 +28,7 @@ func (a *Application) checkAuth(rw http.ResponseWriter, r *http.Request) (*Claim
bearer := a.checkAuthHeaderBearer(r)
if bearer != "" {
a.log.Trace("checking bearer token")
tc := a.attemptBearerAuth(r, bearer)
tc := a.attemptBearerAuth(bearer)
if tc != nil {
return a.saveAndCacheClaims(rw, r, tc.Claims)
}

8
internal/outpost/proxyv2/application/auth_basic.go
View File

@ -14,7 +14,15 @@ type TokenResponse struct {
IDToken string `json:"id_token"`
}
const JWTUsername = "goauthentik.io/token"
func (a *Application) attemptBasicAuth(username, password string) *Claims {
if username == JWTUsername {
res := a.attemptBearerAuth(password)
if res != nil {
return &res.Claims
}
}
values := url.Values{
"grant_type": []string{"client_credentials"},
"client_id": []string{a.oauthConfig.ClientID},

2
internal/outpost/proxyv2/application/auth_bearer.go
View File

@ -27,7 +27,7 @@ type TokenIntrospectionResponse struct {
ClientID string `json:"client_id"`
}
func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenIntrospectionResponse {
func (a *Application) attemptBearerAuth(token string) *TokenIntrospectionResponse {
values := url.Values{
"client_id": []string{a.oauthConfig.ClientID},
"client_secret": []string{a.oauthConfig.ClientSecret},

2
website/docs/providers/proxy/header_authentication.md
View File

@ -41,6 +41,8 @@ If the received credentials are invalid, a normal authentication flow is initiat
It is **strongly** recommended that the client sending requests with HTTP-Basic authentication persists the cookies returned by the outpost. If this is not the case, every request must be authenticated independently, which will increase load on the authentik server and encounter a performance hit.
:::
Starting with authentik 2023.2, logging in with the reserved username `goauthentik.io/token` will behave as if a bearer token was used. All the same options as below apply. This is to allow token-based authentication for applications which might only support basic authentication.
### Receiving HTTP Bearer authentication
:::info