Authentication using http header

[dorianim]

Is there an existing feature request for this?

• [X] I have searched the existing issues before opening this feature request.

Describe the feature you would like to see.

It would be nice to allow authentication via an HTTP-header containing the username. This would allow using proxy authentication via sso providers like Authelia or Authentik and by this, it would also be possible to authenticate using ldap or oidc.

Describe the solution you'd like.

• New environment variables for:
  • Whether the header authentication should be enabled
  • The header containing the username of the user
  • The header containing the email of the user
• Automatic account creation for new users, this can happen transparently in my option

Additional context to this request.

Http header authentication basically works like this:

• You put a proxy in front of your application
• This proxy does not let anything through to the application until the user authenticates with the proxy
• As soon as the user is authenticated, the proxy passes the traffic to the application including a header containing their username, email and whatever else you configure

I am aware that other requests for ldap (#594), saml (#2635) and oidc (#3990) have been dismissed for being too time-consuming to implement. Using an HTTP-header, however, would be much simpler to do.

Many other services do this as well, for example Paperless and Firefly III

I think, this would be a good solution for all the users who wanted to have ldap, saml or oidc. And it should not be too complicated to implement :slightly_smiling_face: What do you think?

[DaneEveritt]

Nice idea, seems like an easy middle ground between building out a very complex flow in the application and not having anything. Do you have any good examples I could look at in terms of setting up something very basic to test against if this was built out?

Like a specific service you like to use or some local setup that is sufficient for testing without too much additional overhead?

[dorianim]

I simply used a browser plugin which allows changing the header values for testing (e.g. this one). Should be pretty straight forward :)

[DaneEveritt]

Gotcha, I'll look into a few of them and make sure there is a decently common approach to them. I bet there are some packages that exist already to handle this I could use.

[dorianim]

Just for reference: oauth2-proxy is a tool which "translates" proxy authentication into oatuh2 and could be used in conjunction with this feature.

[haylinmoore]

Gotcha, I'll look into a few of them and make sure there is a decently common approach to them. I bet there are some packages that exist already to handle this I could use.

I personally really like the idea of using the Remote-User header for authentication, as it makes it much easier to integrate with pre-made, or home-brewed authentication schemes. It also in theory, shouldn't be a massive implementation task. This method is commonly called Forward Auth, where your reverse proxy uses another API to verify authentication, and then rewrites headers so the backend can know the user. Both Authelia (https://www.authelia.com/docs/home/architecture.html) and Authentik (https://goauthentik.io/docs/providers/proxy/forward_auth), top open-source SSO providers, implement Forward Auth support. Some large applications that support it which come to mind are Netbox and Home-Assistant.

[haylinmoore]

If I implemented this would this fall under a reject due to the contributing policy? "Pterodactyl does not accept Pull Requests (PRs) for new functionality from users that are not currently part of the core project team." Don't want it to meet the same fate as OAuth

[MythTheWolf]

bump

[DaneEveritt]

@hamptonmoore yes, most likely. I'm not prepared to think about this too might right now or look at a PR for it.

[SyFizz]

Hi !

Is there any progress about that ?

[Aeris1One]

I would personally second the idea of being able to use HTTP Headers, it would be a perfect middle between ldap, oauth, saml and so on. It would be easier for server hosts but also for some servers (rare ones) which have setup some SSO for their Git, Forum, Website, Issue tracker. That's the case of the server I'm sysadmin-ing and Pterodactyl is the only thing without linked accoung :/

LDAP, SAML, OpenID are more difficult to setup than HTTP Headers, both on Pterodactyl code and on SSO side. I think its the perfect way to go to allow some SSO features, which seems highly requested since some times.

[zach78954]

I would personally second the idea of being able to use HTTP Headers, it would be a perfect middle between ldap, oauth, saml and so on. It would be easier for server hosts but also for some servers (rare ones) which have setup some SSO for their Git, Forum, Website, Issue tracker. That's the case of the server I'm sysadmin-ing and Pterodactyl is the only thing without linked accoung :/

LDAP, SAML, OpenID are more difficult to setup than HTTP Headers, both on Pterodactyl code and on SSO side. I think its the perfect way to go to allow some SSO features, which seems highly requested since some times.

I also concur, this is the only thing that is missing for me.

[luizsusin]

I would personally second the idea of being able to use HTTP Headers, it would be a perfect middle between ldap, oauth, saml and so on. It would be easier for server hosts but also for some servers (rare ones) which have setup some SSO for their Git, Forum, Website, Issue tracker. That's the case of the server I'm sysadmin-ing and Pterodactyl is the only thing without linked accoung :/

LDAP, SAML, OpenID are more difficult to setup than HTTP Headers, both on Pterodactyl code and on SSO side. I think its the perfect way to go to allow some SSO features, which seems highly requested since some times.

Me too. This is actually something I miss a lot.

[tnt944445]

I would personally second the idea of being able to use HTTP Headers, it would be a perfect middle between ldap, oauth, saml and so on. It would be easier for server hosts but also for some servers (rare ones) which have setup some SSO for their Git, Forum, Website, Issue tracker. That's the case of the server I'm sysadmin-ing and Pterodactyl is the only thing without linked accoung :/

LDAP, SAML, OpenID are more difficult to setup than HTTP Headers, both on Pterodactyl code and on SSO side. I think its the perfect way to go to allow some SSO features, which seems highly requested since some times.

Would love to see this come true. A big feature missing for me.

[Loapu]

Is there any update on this? Maybe an ETA or some plans for the roadmap?

[FoksVHox]

Is there any update on this? Maybe an ETA or some plans for the roadmap?

https://github.com/orgs/pterodactyl/projects/1

[Aterfax]

Just wanted to show interest in this also. This would slot in very nicely for those using Authentik.

[tieb62]

Any news on this ? I don't see it in the roadmap

[Badbird5907]

I would love to see this implemented!

[n1ght-hunter]

+1 i personally think this is a must. i don't like exposing anything publicly that has not had an audit which is simply not possible for a project like this. so it makes sense to have to option to leave auth to a 3rd party that has a good update policy and is regularly audited by a 3rd party like authentik etc

[Cryotize]

Personally, i'm selfhosting many public facing services which my family or friends use. Pterodactyl is one of many, and a http header auth implementation would help me unify all logins at a central location like Authentik. Sadly, i still can't see this on the roadmap. Can anybody give an update on this issue?

[Pomdre]

Personally, i'm selfhosting many public facing services which my family or friends use. Pterodactyl is one of many, and a http header auth implementation would help me unify all logins at a central location like Authentik. Sadly, i still can't see this on the roadmap. Can anybody give an update on this issue?

This has been a proposal for 4 years now I know it has been worked on an sso login for Google and other sso`s. I think that was published as a "addon" but no longer maintained. I can't imagine the main developers switching gears and working on this now, maybe if someone gets together and donates money to the project that will increase the motivation for the developers to get this in place? 🤷

[Svenum]

I would love to see this.

[Avsynthe]

Personally, i'm selfhosting many public facing services which my family or friends use. Pterodactyl is one of many, and a http header auth implementation would help me unify all logins at a central location like Authentik. Sadly, i still can't see this on the roadmap. Can anybody give an update on this issue?

This is me. I provide loads of services to friends and family using Authentik as the auth and ID server. Basically anything that doesn't support some form of SSO I've delayed providing because it's just a headache. I feel like these last 12 months most services have really pushed to get some form of SSO implemented, seems like the big thing now haha.

This would be amazing to see and would complete and round out what is an awesome service. It's features like this that skyrocket app adoption.

[zach78954]

I’ve moved to hosting wemx along with pterodactyl. They plan to provide SSO, the code is there I just needs some final tweaking. It also makes it easy for me because I can set a low price for my friends and just give them credit. This way they are actually using the servers they created.

Best Regards, Zach Stinnett

---

From: Avsynthe @.> Sent: Wednesday, December 20, 2023 1:54:47 PM To: pterodactyl/panel @.> Cc: zach78954 @.>; Comment @.> Subject: Re: [pterodactyl/panel] Authentication using http header (Issue #4026)

Personally, i'm selfhosting many public facing services which my family or friends use. Pterodactyl is one of many, and a http header auth implementation would help me unify all logins at a central location like Authentik. Sadly, i still can't see this on the roadmap. Can anybody give an update on this issue?

This is me. I provide loads of services to friends and family using Authentik as the auth and ID server. Basically anything that doesn't support some form of SSO I've delayed providing because it's just a headache. I feel like these last 12 months most services have really pushed to get some form of SSO implemented, seems like the big thing now haha.

This would be amazing to see and would complete and round out what is an awesome service. It's features like this that skyrocket app adoption.

— Reply to this email directly, view it on GitHubhttps://github.com/pterodactyl/panel/issues/4026#issuecomment-1865125350, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AB3FN76XJOONPBLNCWOGDZ3YKNGBPAVCNFSM5R2X3ZZ2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBWGUYTENJTGUYA. You are receiving this because you commented.Message ID: @.***>

[xitation]

Also keen to throw my support behind this feature.

Happy to help test it as it's developed if required.

Use case is I run Kanidm and Cloudflare Tunnel, user experience isn't great when you OAuth to Cloudflare then have to auth separately to the panel.

[KevinCCucumber]

So whats the latest update on this? I would love to have this integration, but I don't have any experience with PHP to implement this myself.

[virtualWinter]

Hello. Any updates on this feature request?