search

espresso-lab / oidc-forward-auth-middleware

MIT License
8 stars 1 forks source link

Add support for X-Forwarded-User header #5

Closed ds-sebastian closed 2 weeks ago

ds-sebastian commented 1 month ago

Can you consider implementing handling for the X-Forwarded-User header to allow for user identity to be passed?

Use Case

Enables Traefik middleware configuration:

middlewares:
  rs-auth:
    forwardAuth:
      address: http://oidc-forward-auth-middleware
      trustForwardHeader: true
      authResponseHeaders:
        - X-Forwarded-User

Main use case for me is Frigate which currently only supports ForwardAuth https://docs.frigate.video/configuration/authentication

henobi commented 1 month ago

Hello @ds-sebastian, thank you for providing this feature request! We will put that on our roadmap.

--

Mapping:

henobi commented 2 weeks ago

I just released version v3.0.0-alpha.1. It includes the X-Forwarded-User header filled with the sub from the jwt token.

Could you please check if it is also working for you?

ds-sebastian commented 2 weeks ago

I did try, but I can't seem to get the right configuration as it's a pretty weird one lol

I have one server with Traefik and this middleware (and KanIDM):

# docker-compose.yml
services:
  oidc-forward-auth-middleware:
    image: ghcr.io/espresso-lab/oidc-forward-auth-middleware:3.0.0-alpha.1
    container_name: oidc-forward-auth-middleware
    expose:
      - "3000"
    networks:
      - "remote-net"
    environment:
      - OIDC_PROVIDER_0_HOSTNAME=oa2p.domain.com
      - OIDC_PROVIDER_0_ISSUER_URL=https://idm.domain.com/oauth2/openid/oauth2-proxy
      - OIDC_PROVIDER_0_CLIENT_ID=oauth2-proxy
      - OIDC_PROVIDER_0_CLIENT_SECRET=<SECRET>
      - OIDC_PROVIDER_0_SCOPES=email groups openid profile
      - OIDC_PROVIDER_0_AUDIENCE=oauth2-proxy
      #- RUST_LOG=info
      - DISABLE_ENHANCED_SECURITY=true
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.oauth2-proxy.entrypoints=https"
      - "traefik.http.routers.oauth2-proxy.rule=Host(`oa2p.domain.com`)"
      - "traefik.http.services.oauth2-proxy.loadbalancer.server.port=3000"
      - "traefik.http.routers.oauth2-proxy.service=oauth2-proxy"

I have another server and another instance of Traefik with the following middleware on Frigate:

# fileConfig.yml
http:
  middlewares:
      oidc-auth:
      forwardAuth:
        address: "https://oa2p.domain.com/verify"
        trustForwardHeader: true
        authResponseHeaders:
          - "Set-Cookie"
          - "Location"
          - "X-Forwarded-User"
        authRequestHeaders:
          - "Accept"
          - "Cookie"
...
  routers:
    frigate:
      rule: Host(`frigate.domain.com`)
      service: frigate_service
      entryPoints:
        - https
      middlewares:
        - oidc-auth

This results in the following logs:

oidc-forward-auth-middleware  | 2024-08-30T01:16:28.719275Z  INFO oidc_forward_auth_middleware: Enhanced security is disabled.
oidc-forward-auth-middleware  | 2024-08-30T01:16:28.720151Z  INFO salvo_core::server: listening [HTTP/1.1] on http://0.0.0.0:3000
oidc-forward-auth-middleware  | 2024-08-30T01:16:37.716026Z  INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/verify}: oidc_forward_auth_middleware::oidc_providers: Starting to initialize OIDC providers.
oidc-forward-auth-middleware  | 2024-08-30T01:16:37.903437Z  INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/verify}: oidc_forward_auth_middleware::oidc_providers: Added OIDC provider: oa2p.domain.com -> https://idm.domain.com/oauth2/openid/oauth2-proxy
oidc-forward-auth-middleware  | 2024-08-30T01:16:37.903615Z  INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/verify}: oidc_forward_auth_middleware::oidc_providers: Initialized 1 OIDC providers.
oidc-forward-auth-middleware  | 2024-08-30T01:16:37.962249Z  INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/verify}: salvo_extra::logging: Response status=307 Temporary Redirect duration=246.373307ms
oidc-forward-auth-middleware  | 2024-08-30T01:16:41.129324Z  INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/auth_callback?state=-UB6zeNChlZ3gIoVxhNNyw&code=gAAAAA.....WYlD6E%3D}: salvo_extra::logging: Response status=404 Not Found duration=280ns
oidc-forward-auth-middleware  | 2024-08-30T01:16:41.206364Z  INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/favicon.ico}: salvo_extra::logging: Response status=404 Not Found duration=280ns
henobi commented 2 weeks ago

Hi @ds-sebastian,

it looks like you are accessing port 3000 directly with your browser. As this is a forwordauth-handler and not a proxy, this should not be the case. You should access your service directly and traefik will handle the sub request port 3000.

Have a look at the configuration here: https://github.com/espresso-lab/oidc-forward-auth-middleware/blob/main/docker-compose.yml#L28

ds-sebastian commented 2 weeks ago

I just moved the middleware container to my main server with Frigate (instead of trying to expose it), used local IPs like in your example, and it works! Even with alpha-2

Thanks for this solution! OAuth2-Proxy has issues with Traefik, and other middlewares don't yet support PKCE which is default in KanIDM

henobi commented 2 weeks ago

Great! Thank you for testing and the feedback.