diff --git a/authentik/providers/proxy/controllers/k8s/traefik.py b/authentik/providers/proxy/controllers/k8s/traefik.py index f453a2e5b..8f3cb816a 100644 --- a/authentik/providers/proxy/controllers/k8s/traefik.py +++ b/authentik/providers/proxy/controllers/k8s/traefik.py @@ -109,11 +109,18 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware]) address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik", authResponseHeaders=[ "Set-Cookie", + # Legacy headers, remove after 2022.1 "X-Auth-Username", "X-Auth-Groups", "X-Forwarded-Email", "X-Forwarded-Preferred-Username", "X-Forwarded-User", + # New headers, unique prefix + "X-authentik-username", + "X-authentik-groups", + "X-authentik-email", + "X-authentik-name", + "X-authentik-uid", ], trustForwardHeader=True, ) diff --git a/internal/outpost/proxyv2/application/mode_common.go b/internal/outpost/proxyv2/application/mode_common.go index 64d244201..b49438e20 100644 --- a/internal/outpost/proxyv2/application/mode_common.go +++ b/internal/outpost/proxyv2/application/mode_common.go @@ -9,12 +9,21 @@ import ( func (a *Application) addHeaders(r *http.Request, c *Claims) { // https://goauthentik.io/docs/providers/proxy/proxy + + // Legacy headers, remove after 2022.1 r.Header.Set("X-Auth-Username", c.PreferredUsername) r.Header.Set("X-Auth-Groups", strings.Join(c.Groups, "|")) r.Header.Set("X-Forwarded-Email", c.Email) r.Header.Set("X-Forwarded-Preferred-Username", c.PreferredUsername) r.Header.Set("X-Forwarded-User", c.Sub) + // New headers, unique prefix + r.Header.Set("X-authentik-username", c.PreferredUsername) + r.Header.Set("X-authentik-groups", strings.Join(c.Groups, "|")) + r.Header.Set("X-authentik-email", c.Email) + r.Header.Set("X-authentik-name", c.Name) + r.Header.Set("X-authentik-uid", c.Sub) + userAttributes := c.Proxy.UserAttributes // Attempt to set basic auth based on user's attributes if *a.proxyConfig.BasicAuthEnabled {