diff --git a/internal/outpost/proxyv2/application/auth.go b/internal/outpost/proxyv2/application/auth.go index 66715eed4..a6ab22c75 100644 --- a/internal/outpost/proxyv2/application/auth.go +++ b/internal/outpost/proxyv2/application/auth.go @@ -28,7 +28,7 @@ func (a *Application) checkAuth(rw http.ResponseWriter, r *http.Request) (*Claim bearer := a.checkAuthHeaderBearer(r) if bearer != "" { a.log.Trace("checking bearer token") - tc := a.attemptBearerAuth(r, bearer) + tc := a.attemptBearerAuth(bearer) if tc != nil { return a.saveAndCacheClaims(rw, r, tc.Claims) } diff --git a/internal/outpost/proxyv2/application/auth_basic.go b/internal/outpost/proxyv2/application/auth_basic.go index 4e9177be8..0381559ae 100644 --- a/internal/outpost/proxyv2/application/auth_basic.go +++ b/internal/outpost/proxyv2/application/auth_basic.go @@ -14,7 +14,15 @@ type TokenResponse struct { IDToken string `json:"id_token"` } +const JWTUsername = "goauthentik.io/token" + func (a *Application) attemptBasicAuth(username, password string) *Claims { + if username == JWTUsername { + res := a.attemptBearerAuth(password) + if res != nil { + return &res.Claims + } + } values := url.Values{ "grant_type": []string{"client_credentials"}, "client_id": []string{a.oauthConfig.ClientID}, diff --git a/internal/outpost/proxyv2/application/auth_bearer.go b/internal/outpost/proxyv2/application/auth_bearer.go index 4a9ad8f07..852488752 100644 --- a/internal/outpost/proxyv2/application/auth_bearer.go +++ b/internal/outpost/proxyv2/application/auth_bearer.go @@ -27,7 +27,7 @@ type TokenIntrospectionResponse struct { ClientID string `json:"client_id"` } -func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenIntrospectionResponse { +func (a *Application) attemptBearerAuth(token string) *TokenIntrospectionResponse { values := url.Values{ "client_id": []string{a.oauthConfig.ClientID}, "client_secret": []string{a.oauthConfig.ClientSecret}, diff --git a/website/docs/providers/proxy/header_authentication.md b/website/docs/providers/proxy/header_authentication.md index a093c8694..e7069b029 100644 --- a/website/docs/providers/proxy/header_authentication.md +++ b/website/docs/providers/proxy/header_authentication.md @@ -41,6 +41,8 @@ If the received credentials are invalid, a normal authentication flow is initiat It is **strongly** recommended that the client sending requests with HTTP-Basic authentication persists the cookies returned by the outpost. If this is not the case, every request must be authenticated independently, which will increase load on the authentik server and encounter a performance hit. ::: +Starting with authentik 2023.2, logging in with the reserved username `goauthentik.io/token` will behave as if a bearer token was used. All the same options as below apply. This is to allow token-based authentication for applications which might only support basic authentication. + ### Receiving HTTP Bearer authentication :::info