search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.51k stars 902 forks source link

Add support for setting X-FRAME-OPTIONS and CSP #9712

Open idc77 opened 6 months ago

idc77 commented 6 months ago

Is your feature request related to a problem? Please describe. When doing silent refresh with oidc-client-ts authentik returns X-FRAME-OPTIONS: deny, making it impossible to refresh a token. Since the access_token lifetime is by default very short (5min) this leads to authentik not being usable.

Describe the solution you'd like Add X-FRAME-OPTIONS and Content Security Policy settings.

Describe alternatives you've considered Not use authentik.

Additional context oidc-client-ts does silent renew in an iframe, as does keycloak-js and likely other oidc clients. Forcing a user to hit the login button every 5 minutes is not acceptable, increasing the token lifetime likewise isn't. Authentik already does too much magic with CORS and redirect_uri binding. Add the possibility to set custom X-FRAME-OPTIONS and CSP.

idc77 commented 5 months ago

I've now tested oidc-client-ts with Keycloak, which doesn't set X-FRAME-OPTIONS to DENY and has keycloak-security

Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';

I wonder how no one else ever had an issue or has reported any issue with authentik when used in a SPA or PWA. Is everyone just using confidential clients? In that case of course this issue never surfaces. Or people just generally don't use oidc and just use this for ready-made apps.

I also wonder why I can't add this application I created with its provider to the default outpost. Would that fix that problem? No idea. Likewise I'm not sure if Go is doing the oidc serving or if python is part of that anywhere. One picks Go for performance and resource usage, when you just have a proxy with Go in front of a Python API, that's quite non-sensical. But maybe I got it all wrong.

All I know is, oidc-client-ts with authentik can't refresh/renew tokens and I'm getting a timeout and an error in chromium that the request was denied because X-FRAME-OPTIONS is set to DENY, and there is no way I can see that I can add them on a per provider or application basis in authentik.

So for me authentik is unable to perform its purpose. I'll have to look elsewhere, also because there has been ZERO feedback.

AdamsGH commented 5 months ago

It's be really a good option if we can control X-Frame-Options. Try to fix my app refresh a few hours, buy only now realize this is Authentik trouble. As a temporary solution for Chrome - this extention works for me

UPD: For me increasing time at provider setting make life really better

roschaefer commented 3 months ago

I think this is a duplicate of #5762 and I've described a workaround there: https://github.com/goauthentik/authentik/issues/5762#issuecomment-2254179740

BeryJu commented 1 month ago

For the time being it's recommended to set custom header values in the reverse proxy. There will be support for setting custom headers directly from authentik in the future