search

sissbruecker / linkding

Self-hosted bookmark manager that is designed be to be minimal, fast, and easy to set up using Docker.
https://linkding.link/
MIT License
6.64k stars 316 forks source link

Authentik auth proxy not working #486

Open JesseWebDotCom opened 1 year ago

JesseWebDotCom commented 1 year ago

Hello. I tried to setup auth proxy authentication but I end up stuck at the login page.

I have configured my authentik server with a forward auth (single application) proxy provider for linkding (similar to how I have other apps configured). Part of the response header (configured in my Traefik middleware) includes "X-authentik-username".

I set my docker compose environment section:

    environment:
      - LD_ENABLE_AUTH_PROXY=True
      - LD_AUTH_PROXY_USERNAME_HEADER=X_AUTHENTIK_USERNAME
      - LD_AUTH_PROXY_LOGOUT_URL=${LINKDING_PROXY_LOGOUT_URL}

I have the LINKDING_PROXY_LOGOUT_URL environment variable (ex. auth.domain_name_here.com/outpost.goauthentik.io/sign_out) defined in another env file I call with compose.

I deleted the container and data folder and compose up my environment (I have not visited my linkding instance; I have not created any linkding users). So I access https://linkding.domain_name_here.com and correctly get prompted for authentik authentication (which works successfully) and then I'm sent and stuck at https://linkding.domain_name_here.com/login/?next=/bookmarks (which expects me to put in a username and password). My linkding data folder is empty and I have 1 response cookie of csrftoken).

What am I missing?

strandundmeer commented 1 year ago

Hi @JesseWebDotCom,

i mae the same mistake and missed a tiny little part of the documentation: You have to prefix the header with HTTP_

So this one should work

LD_AUTH_PROXY_USERNAME_HEADER=HTTP_X_AUTHENTIK_USERNAME

Hope this helps!

JesseWebDotCom commented 1 year ago

Thanks, I’ll give that a shot

rishikanthc commented 1 year ago

@JesseWebDotCom Were you able to get this working ? I'm facing the same issue and tried the suggested fix with no luck.

JesseWebDotCom commented 1 year ago

No as I decided on sticking with safari/iOS bookmark management (much easier for me across my devices).

joshoram80 commented 1 year ago

I am also having the same issue. Using LD_AUTH_PROXY_USERNAME_HEADER=HTTP_X_AUTHENTIK_USERNAME does not seem to work for me

strandundmeer commented 1 year ago

I use Authentik with Linkding without issues.

just for reference, I have the following in my docker .env LD_ENABLE_AUTH_PROXY=True LD_AUTH_PROXY_USERNAME_HEADER=HTTP_X_AUTHENTIK_USERNAME LD_AUTH_PROXY_LOGOUT_URL=Authentik-URL/outpost.goauthentik.io/sign_out

you should also make sure that you are adding the correct headers in your reverse-proxy config.

joshoram80 commented 1 year ago

I have literally the same variables in my .env

My traefik Authentik config 

middlewares-authentik:
      forwardAuth:
        address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
          - authorization

Authentik works for me with every other service, just not Linkding, and because there is no errors or anything I can't diagnose why. I even have other services that use X-authentik-username for auth and they work too. I'm stumped.

ghost commented 1 year ago

Same here. I use it inconjunction with traefik and I get this from traefik logs, so the header is beign passed with the username.

..."],\"X-Authentik-Username\":[\"akiduki\"],\X-Forwarded-Host\":"...

In docker_compose I have this:

    environment:
      - LD_ENABLE_AUTH_PROXY=True
      - LD_AUTH_PROXY_USERNAME_HEADER='HTTP_X_AUTHENTIK_USERNAME'
      - LD_AUTH_PROXY_LOGOUT_URL='<url>'

I just get redirected to the login page no matter what.

zarko-a commented 1 year ago

Same issue with Pomerium reverse proxy. I just get redirected to the login page even though the proxy is sending user in Remote-User header

        LD_ENABLE_AUTH_PROXY: True
        LD_AUTH_PROXY_USERNAME_HEADER: HTTP_REMOTE_USER

I tried various combinations of header names and nothing seems to work with LD.

helmut72 commented 11 months ago

Same for me, but with oauth2-proxy and keycloak. My configuration is HTTP_X_FORWARDED_PREFERRED_USERNAME.

Would be cool if there is at least some debug options possible, what header Linkding get and what it use. Using whoami container instead of linkding ouputs X_FORWARDED_PREFERRED_USERNAME.

Few other services with http header auth works.

Edit: Strange, works now. Deleted Linkding data files, logout & login again in Keycloak and using private Browser session.