search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
12.62k stars 848 forks source link

Proxy Provider: Create or Use JWT Token for Dynamic Attribute Gathering #5237

Open ReaHe opened 1 year ago

ReaHe commented 1 year ago

Describe your question Since the proxy provider allows for Basic Auth, this means you can sign into a website that the provider proxies too that supports basic auth itself. (Typically because that app doesn't support other auth methods). However based on the documentation, it states you set the username and password using user attributes in the provider, which I believe are static only if set on the user or group. I was wondering how to make this dynamic and specifically how to acquire a JWT token (if one is not already made) that will be authorized for the user when the proxy authenticates the user to perform external requests with.

For instance take a hashicorp vault server that supports JWT auth. This vault server holds secrets for the user however they're secrets only the user has access too, like a password manager. I was hoping that with this JWT I could pull the users username and password from a protected location that requires that specific users authorization and then use those credentials In the basic auth but not have too 1. Statically set them in authentik and 2. I can have the users creds stay secret without them being less protected.

I see that dynamic headers can be used for the proxy using property mappings, it made think I could use the requests library to make these hashicorp vault requests but I'm not sure how I could get a JWT token for the user easily and was hoping to use an existing authored one for them. I was also thinking of using the authorization flow as a possible method to set volatile attributes for the user but also was not sure if the proxy will get those and use them for the basic auth or if that's even possible.

My question overall is targeted towards the best approach if any to be able to dynamically set basic auth creds (and even broader dynamic user attributes) using Authentik. Hopefully my example was helpful, thanks in advance for any advice you can provide.

Version and Deployment (please complete the following information):

BeryJu commented 4 months ago

As the property mappings run while the JWT that authentik gives to the proxy is being generated, you can't yet access that JWT to pass it to an external service. One alternative to this would be to use another method to authenticate against hashicorp vault (for example using the kubernetes authentication, as seen here: https://beryju.io/blog/2022-05-authentik-vault/) We don't really have a helper function to generate a JWT on the fly in an expression.