SOGo WebAuth is broken?

VPaulV commented 1 year ago

Contribution guidelines

[X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

[X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
[X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
[X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
[X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Hi Guys,

I am trying to implement SSO with SOGo using Authentik. I found in the documentation that I can use forward auth to achieve this. According to the documentation:

"The second step is to tell SOGo to trust that value altogether by setting the 'SOGoTrustProxyAuthentication' to 'YES', which will disable the login page and the 'logoff' link."

However, when I enable this setting (with 'ALLOW_ADMIN_EMAIL_LOGIN' disabled), nothing happens. The login page is not disabled, and it seems that 'x-webobjects-remote-user' is ignored as well. I set it up with Traefik's 'X-Authentik-Email' to 'x-webobjects-remote-user', and I have verified with 'whoami' that it is actually happening.

Am I missing something or forward auth is broken?

Logs:

Please let me know what logs I may provided to help

Steps to reproduce:

1. Set SOGoTrustProxyAuthentication to YES
2. Go to login page and see that it is not disabled

Which branch are you using?

master

Operating System:

Linux chf 5.10.0-22-amd64 #1 SMP Debian 5.10.178-3 (2023-04-22) x86_64 GNU/Linux

Server/VM specifications:

8gb ram, 4 cores

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

23.0.5

docker-compose version or docker compose version:

v2.17.3

mailcow version:

2023-04b

Reverse proxy:

Traefik

Logs of git diff:

---

Logs of iptables -L -vn:

---

Logs of ip6tables -L -vn:

---

Logs of iptables -L -vn -t nat:

---

Logs of ip6tables -L -vn -t nat:

---

DNS check:

---

MAGICCC commented 1 year ago

Because SSO will be implemented in the near future, you can wait for https://github.com/mailcow/mailcow-dockerized/issues/2316 if you want But since this seems like a SOGo issue, you have to ask their devs: https://bugs.sogo.nu/

VPaulV commented 1 year ago

Understood, thank you! When I self host - SOGo works as expected. Therefore, I thought in mailcow we have some modifications. My bad

MAGICCC commented 1 year ago

Ah then maybe some setting in NGinx needs to be changed. I am not sure about it, never played around

VPaulV commented 1 year ago

I guess it doesn't matter, because we will have it implemented soon with OIDC. I will close the issue

mailcow / mailcow-dockerized