search

chatgpt-web-dev / chatgpt-web

A third-party ChatGPT Web UI page built with Express and Vue3, through the official OpenAI completion API. / 用 Express 和 Vue3 搭建的第三方 ChatGPT 前端页面, 基于 OpenAI 官方 completion API.
https://chatgpt-web.dev
MIT License
1.62k stars 438 forks source link

Allowing Custom SSO Auth Header #468

Closed dohsimpson closed 7 months ago

dohsimpson commented 7 months ago

Amazing project! I'm very thrilled to be trying out the new SSO Auth Header feature.

I noticed a small hiccup when integrating with Athelia:

Athelia uses the Remote-User and Remote-Email instead of X-Email as auth header returned to reverse proxy: https://www.authelia.com/integration/trusted-header-sso/introduction/#response-headers

This means that the SSO won't work out of the box with Authelia.

Adding a new env parameter for header name would provide this flexibility.

BobDu commented 7 months ago

Thank you for your feedback. In fact, using the following configuration should work properly.

## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /authelia;

## Set the $target_url variable based on the original request.

## Comment this line if you're using nginx without the http_set_misc module.
set_escape_uri $target_url $scheme://$http_host$request_uri;

## Uncomment this line if you're using NGINX without the http_set_misc module.
# set $target_url $scheme://$http_host$request_uri;

## Save the upstream response headers from Authelia to variables.
auth_request_set $email $upstream_http_remote_email;

## Inject the response headers from the variables into the request made to the backend.
proxy_set_header X-Email $email;

## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 =302 https://auth.example.com/?rd=$target_url;

Different from the examples in Authelia's documentation, it uses proxy_set_header X-Email $email; instead of proxy_set_header Remote-Email $email;.

https://www.authelia.com/integration/proxies/nginx/#authelia-authrequestconf

dohsimpson commented 7 months ago

This would be an elegant solution for Nginx reverse proxy user, thanks for sharing!

My use case is a bit different, I'm using Kubernetes + nginx ingress controller, which has a more convoluted syntax and less documentation on this topic.

In case it helps someone, here's how to configure nginx ingress annotations to pass X-Email in addition to Remote-Email:

nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-snippet: |
  proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $email $upstream_http_remote_email;
  proxy_set_header X-Email $email;

@BobDu would you consider accepting a PR to make the auth header configurable, I feel that this could be beneficial for people with different proxy setups.