Connecting to a server behind Authentik

[mike-lloyd03]

Is your feature request related to a problem? Please describe. My server is sitting behind authentik (using the proxy provider) to enable a more robust layer of authentication. So when I navigate to my server, I have to authenticate with authentik first before I'm redirected to Invidious. Clipious cannot connect to my server as a result of this configuration. When attempting to add the server, I get an error:

FormatException: Unexpected character (at line 4, character 1)
<!DOCTYPE html>
^

I'm assuming Clipious is expecting a JSON response from the API but is instead being redirected to authentik and gets an HTML response instead.

Describe the solution you'd like Some method to tell Clipious to expect a redirect to an identity provider before making any requests to the Invidious API

Describe alternatives you've considered I've tried disabling authentik and adding the server. Then re-enbling authentik and using token authentication with invidious. This properly handles the redirect to authentik and allows me to log in to Invidious, but afterwards, no videos will load.

[Outlet7493]

I think it's doable to integrate a webview that displays the auth page when an HTML response is detected (enabled via settings).

I've tried disabling authentik and adding the server. Then re-enbling authentik and using token authentication with invidious. This properly handles the redirect to authentik and allows me to log in to Invidious, but afterwards, no videos will load.

I've never used authentik before but just wanted to ask if being able to add custom headers to requests would help this issue?

Or if I am understanding correctly, a property mapping could be used on the invidious cookie/token already used by Clipious?

[mike-lloyd03]

Hey thanks for the response.

Authentik is pretty flexible so I should be able to do this. I'm not seeing any kind of auth customization options in Clipious however. Are there dev settings somewhere I'm missing?

[Outlet7493]

Clipious chooses the authentication method here based on the method you choose when you're in the "manage servers" screen.

If you wish to be able to add custom headers, this is something I could look at adding in the future.

Hope this answers your question

[mike-lloyd03]

I've seen some other issues on here where users configured basic auth on their reverse proxy and were able to make this work by passing their creds in the server URL in Clipious.

https://username:password@myserver.com

But I'm not sure if authentik supports this. I'll look into it.

Otherwise, configuring Clipious to send custom headers would probably be the only way to do this. I'll let you know what I find.

[mike-lloyd03]

I was able to create an app password for Clipious in authentik and used it in the URL as specified above. This bypasses the redirect to authentik's login page. However, no thumbnails will load and videos don't play. I think because the URL's returned by the Invidious API don't have the basic auth creds in them.

Another issue with this approach is that each request will have to re-authentiate with basic auth adding latency and increasing load on my authentik server. Per the authentik docs:

It is strongly recommended that the client sending requests with HTTP-Basic authentication persists the cookies returned by the outpost. If this is not the case, every request must be authenticated independently, which will increase load on the authentik server and encounter a performance hit.

I think if Authentik's cookie were stored when a user logs into Invidious with token auth, that would work. Example:

1. User adds new server
2. User logs in with token
3. Clipious follows redirect to authentik's login page
4. User logs in to authentik
5. authentik's session token is stored
6. authentik redirects user to Invidious
7. User follows standard token login flow

Then any subsequent requests would have to use the Invidious token and also have the authentik session cookie attached.

Does that sound like it would work?

[Outlet7493]

Yep I think I could add support for this, but it might come in pieces... will have to see.

I will try to setup authentik for myself and replicate a similar setup to you.

At the very least, adding support for you to add custom headers/cookies to requests should be feasible. Adding the webview to login to authentik and getting the cookies may take a little longer.

From what I see, it is possible to have a session token never expire, which would simplify the process and makes the UX better but then weakens security. Let me know your thoughts.