From 60b95271ebe39dcebe394a1441a89ff07ec13b8d Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 1 Dec 2021 20:19:09 +0100 Subject: [PATCH] outposts/proxy: add additional headers Signed-off-by: Jens Langhammer --- authentik/providers/proxy/api.py | 7 +++- .../proxyv2/application/mode_common.go | 5 +++ schema.yml | 10 +++++ website/docs/providers/proxy/proxy.md | 42 +++++++++++++++---- 4 files changed, 55 insertions(+), 9 deletions(-) diff --git a/authentik/providers/proxy/api.py b/authentik/providers/proxy/api.py index af9b84630..3ca998614 100644 --- a/authentik/providers/proxy/api.py +++ b/authentik/providers/proxy/api.py @@ -3,7 +3,7 @@ from typing import Any, Optional from drf_spectacular.utils import extend_schema_field from rest_framework.exceptions import ValidationError -from rest_framework.fields import CharField, ListField, SerializerMethodField +from rest_framework.fields import CharField, ListField, ReadOnlyField, SerializerMethodField from rest_framework.serializers import ModelSerializer from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet @@ -109,6 +109,9 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet): class ProxyOutpostConfigSerializer(ModelSerializer): """Proxy provider serializer for outposts""" + assigned_application_slug = ReadOnlyField(source="application.slug") + assigned_application_name = ReadOnlyField(source="application.name") + oidc_configuration = SerializerMethodField() token_validity = SerializerMethodField() scopes_to_request = SerializerMethodField() @@ -152,6 +155,8 @@ class ProxyOutpostConfigSerializer(ModelSerializer): "cookie_domain", "token_validity", "scopes_to_request", + "assigned_application_slug", + "assigned_application_name", ] diff --git a/internal/outpost/proxyv2/application/mode_common.go b/internal/outpost/proxyv2/application/mode_common.go index 795ba5e41..e3ff6ad30 100644 --- a/internal/outpost/proxyv2/application/mode_common.go +++ b/internal/outpost/proxyv2/application/mode_common.go @@ -24,6 +24,11 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) { headers.Set("X-authentik-name", c.Name) headers.Set("X-authentik-uid", c.Sub) + // System headers + headers.Set("X-authentik-meta-outpost", a.outpostName) + headers.Set("X-authentik-meta-provider", a.proxyConfig.Name) + headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug) + userAttributes := c.Proxy.UserAttributes // Attempt to set basic auth based on user's attributes if *a.proxyConfig.BasicAuthEnabled { diff --git a/schema.yml b/schema.yml index 0077029a1..77905dc2b 100644 --- a/schema.yml +++ b/schema.yml @@ -28984,7 +28984,17 @@ components: items: type: string readOnly: true + assigned_application_slug: + type: string + description: Internal application name, used in URLs. + readOnly: true + assigned_application_name: + type: string + description: Application's display Name. + readOnly: true required: + - assigned_application_name + - assigned_application_slug - external_host - name - oidc_configuration diff --git a/website/docs/providers/proxy/proxy.md b/website/docs/providers/proxy/proxy.md index dfaeb883f..8f4c94533 100644 --- a/website/docs/providers/proxy/proxy.md +++ b/website/docs/providers/proxy/proxy.md @@ -2,20 +2,46 @@ title: Overview --- -The proxy outpost sets the following headers: +The proxy outpost sets the following user-specific headers: -``` -X-authentik-username: akadmin # The username of the currently logged in user -X-authentik-groups: foo|bar|baz # The groups the user is member of, separated by a pipe -X-authentik-email: root@localhost # The email address of the currently logged in user -X-authentik-name: authentik Default Admin # Full name of the current user -X-authentik-uid: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user. -``` +- X-authentik-username: `akadmin` + + The username of the currently logged in user + +- X-authentik-groups: `foo|bar|baz` + + The groups the user is member of, separated by a pipe + +- X-authentik-email: `root@localhost` + + The email address of the currently logged in user + +- X-authentik-name: `authentik Default Admin` + + Full name of the current user + +- X-authentik-uid: `900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb` + + The hashed identifier of the currently logged in user. Additionally, you can set `additionalHeaders` on groups or users to set additional headers. If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set. +Besides these user-specific headers, some application specific headers are also set: + +- X-authentik-meta-outpost: `authentik Embedded Outpost` + + The authentik outpost's name. + +- X-authentik-meta-provider: `test` + + The authentik provider's name. + +- X-authentik-meta-app: `test` + + The authentik application's slug. + # HTTPS The outpost listens on both 9000 for HTTP and 9443 for HTTPS.