From 7798a046db8b75a62c9db0d0e2e1e2242ee3171e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 13 Apr 2021 20:50:45 +0200
Subject: [PATCH 1/2] outpost: fix API calls being made with basic

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 outpost/pkg/ak/api.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/outpost/pkg/ak/api.go b/outpost/pkg/ak/api.go
index 2cb94517a..88dd96306 100644
--- a/outpost/pkg/ak/api.go
+++ b/outpost/pkg/ak/api.go
@@ -44,7 +44,7 @@ func NewAPIController(pbURL url.URL, token string) *APIController {
 	transport.Transport = SetUserAgent(getTLSTransport(), fmt.Sprintf("authentik-proxy@%s", pkg.VERSION))
 
 	// create the transport
-	auth := httptransport.BasicAuth("", token)
+	auth := httptransport.BearerToken(token)
 
 	// create the API client, with the transport
 	apiClient := client.New(transport, strfmt.Default)

From 5a25e6d69728cca49da51cecd5b6501e096b883b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 13 Apr 2021 21:06:04 +0200
Subject: [PATCH 2/2] api: add legacy support for older outposts

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/api/auth.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/authentik/api/auth.py b/authentik/api/auth.py
index 6bcd511f7..a2f36c208 100644
--- a/authentik/api/auth.py
+++ b/authentik/api/auth.py
@@ -1,5 +1,5 @@
 """API Authentication"""
-from base64 import b64decode
+from base64 import b64decode, b64encode
 from binascii import Error
 from typing import Any, Optional, Union
 
@@ -15,9 +15,14 @@ LOGGER = get_logger()
 def token_from_header(raw_header: bytes) -> Optional[Token]:
     """raw_header in the Format of `Basic dGVzdDp0ZXN0`"""
     auth_credentials = raw_header.decode()
-    # Accept headers with Type format and without
+    # Legacy, accept basic auth thats fully encoded (2021.3 outposts)
     if " " not in auth_credentials:
-        return None
+        try:
+            plain = b64decode(auth_credentials.encode()).decode()
+            auth_type, body = plain.split()
+            auth_credentials = f"{auth_type} {b64encode(body.encode()).decode()}"
+        except (UnicodeDecodeError, Error):
+            return None
     auth_type, auth_credentials = auth_credentials.split()
     if auth_type.lower() not in ["basic", "bearer"]:
         LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())