From 19ee98b36db4c82c956e03f273fb0a9e9bf83a0a Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 17 Jan 2023 10:56:43 +0100 Subject: [PATCH] outposts/proxy: allow setting no-redirect via header or query param closes #4455 Signed-off-by: Jens Langhammer --- internal/outpost/proxyv2/application/utils.go | 3 ++- website/docs/providers/proxy/header_authentication.md | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/internal/outpost/proxyv2/application/utils.go b/internal/outpost/proxyv2/application/utils.go index 085c82a1b..6968c8f45 100644 --- a/internal/outpost/proxyv2/application/utils.go +++ b/internal/outpost/proxyv2/application/utils.go @@ -35,7 +35,8 @@ func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) { if err != nil { a.log.WithError(err).Warning("failed to decode session") } - if r.Header.Get(constants.HeaderNoRedirect) == "true" { + if r.Header.Get(constants.HeaderNoRedirect) != "" || + r.URL.Query().Get(strings.ToLower(constants.HeaderNoRedirect)) != "" { rw.WriteHeader(401) er := a.errorTemplates.Execute(rw, ErrorPageData{ Title: "Unauthenticated", diff --git a/website/docs/providers/proxy/header_authentication.md b/website/docs/providers/proxy/header_authentication.md index d774f6ca6..7509d6ba4 100644 --- a/website/docs/providers/proxy/header_authentication.md +++ b/website/docs/providers/proxy/header_authentication.md @@ -21,7 +21,11 @@ If the user does not have a matching attribute, authentik falls back to using th ## Receiving authentication -It is recommended to set the `X-Authentik-No-Redirect` header to `true` to prevent redirects when sending requests via the below methods. This prevents additional load when unauthenticated requests are retried and all get redirected to a flow executor. +By default, when the proxy provider receives credentials that aren't valid for itself, it will start a normal authentication flow, and redirect to the flow start page. Some applications might require a 401 response to prompt for credentials. + +To always return a 401 response when authentication headers are missing/invalid, you can either set the `X-Authentik-No-Redirect` header to any value or the query parameter `x-authentik-no-redirect` to any value. + +This is the default behaviour as some applications use the Authorization header for themselves, and as such if the proxy provider would check it, these applications would be inaccessible. ### Receiving HTTP Basic authentication