outpost/embedded: use redis session backend

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/lib/default.yml

@@ -20,6 +20,7 @@ redis:
   cache_db: 0
   message_queue_db: 1
   ws_db: 2
+  outpost_session_db: 3
   cache_timeout: 300
   cache_timeout_flows: 300
   cache_timeout_policies: 300

internal/config/struct.go

@@ -7,6 +7,23 @@ type Config struct {
 	Paths          PathsConfig          `yaml:"paths"`
 	LogLevel       string               `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"`
 	ErrorReporting ErrorReportingConfig `yaml:"error_reporting"`
+	Redis          RedisConfig          `yaml:"redis"`
+}
+
+type RedisConfig struct {
+	Host                   string `yaml:"host" env:"AUTHENTIK_REDIS__HOST"`
+	Port                   int    `yaml:"port" env:"AUTHENTIK_REDIS__PORT"`
+	Password               string `yaml:"password" env:"AUTHENTIK_REDIS__PASSWORD"`
+	TLS                    bool   `yaml:"tls" env:"AUTHENTIK_REDIS__TLS"`
+	TLSReqs                string `yaml:"tls_reqs" env:"AUTHENTIK_REDIS__TLS_REQS"`
+	CacheDB                int    `yaml:"cache_db" env:"AUTHENTIK_REDIS__CACHE_DB"`
+	MessageQueueDB         int    `yaml:"message_queue_db" env:"AUTHENTIK_REDIS__MESSAGE_QUEUE_DB"`
+	WSDB                   int    `yaml:"ws_db" env:"AUTHENTIK_REDIS__WS_DB"`
+	OutpostSessionDB       int    `yaml:"outpost_session_db" env:"AUTHENTIK_REDIS__OUTPOST_SESSION_DB"`
+	CacheTimeout           int    `yaml:"cache_timeout" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT"`
+	CacheTimeoutFlows      int    `yaml:"cache_timeout_flows" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS"`
+	CacheTimeoutPolicies   int    `yaml:"cache_timeout_policies" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES"`
+	CacheTimeoutReputation int    `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"`
 }
 
 type WebConfig struct {

internal/outpost/proxy/common.go

@@ -1,9 +1,13 @@
 package proxy
 
 import (
+	"fmt"
 	"time"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options"
+	"goauthentik.io/internal/config"
 )
 
 func getCommonOptions() *options.Options {
@@ -16,5 +20,20 @@ func getCommonOptions() *options.Options {
 	commonOpts.Logging.SilencePing = true
 	commonOpts.SetAuthorization = false
 	commonOpts.Scope = "openid email profile ak_proxy"
+	if config.G.Redis.Host != "" {
+		protocol := "redis"
+		if config.G.Redis.TLS {
+			protocol = "rediss"
+		}
+		url := fmt.Sprintf("%s://@%s:%d/%d", protocol, config.G.Redis.Host, config.G.Redis.Port, config.G.Redis.OutpostSessionDB)
+		log.WithField("url", url).Info("Using redis session backend")
+		commonOpts.Session.Redis = options.RedisStoreOptions{
+			ConnectionURL: url,
+			Password:      config.G.Redis.Password,
+		}
+		if config.G.Redis.TLSReqs != "" {
+			commonOpts.Session.Redis.InsecureSkipTLSVerify = true
+		}
+	}
 	return commonOpts
 }

website/docs/installation/configuration.md

@@ -29,6 +29,7 @@ All of these variables can be set to values, but you can also use a URI-like for
 - `AUTHENTIK_REDIS__CACHE_DB`: Database for caching, defaults to 0
 - `AUTHENTIK_REDIS__MESSAGE_QUEUE_DB`: Database for the message queue, defaults to 1
 - `AUTHENTIK_REDIS__WS_DB`: Database for websocket connections, defaults to 2
+- `AUTHENTIK_REDIS__OUTPOST_SESSION_DB`: Database for sessions for the embedded outpost, defaults to 3
 - `AUTHENTIK_REDIS__CACHE_TIMEOUT`: Timeout for cached data until it expires in seconds, defaults to 300
 - `AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS`: Timeout for cached flow plans until they expire in seconds, defaults to 300
 - `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached polices until they expire in seconds, defaults to 300