outposts/proxy: allow setting no-redirect via header or query param

closes #4455

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-01-17 10:56:43 +01:00
parent 75d4246b79
commit 19ee98b36d
No known key found for this signature in database
2 changed files with 7 additions and 2 deletions

View file

@ -35,7 +35,8 @@ func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
if err != nil {
a.log.WithError(err).Warning("failed to decode session")
}
if r.Header.Get(constants.HeaderNoRedirect) == "true" {
if r.Header.Get(constants.HeaderNoRedirect) != "" ||
r.URL.Query().Get(strings.ToLower(constants.HeaderNoRedirect)) != "" {
rw.WriteHeader(401)
er := a.errorTemplates.Execute(rw, ErrorPageData{
Title: "Unauthenticated",

View file

@ -21,7 +21,11 @@ If the user does not have a matching attribute, authentik falls back to using th
## Receiving authentication
It is recommended to set the `X-Authentik-No-Redirect` header to `true` to prevent redirects when sending requests via the below methods. This prevents additional load when unauthenticated requests are retried and all get redirected to a flow executor.
By default, when the proxy provider receives credentials that aren't valid for itself, it will start a normal authentication flow, and redirect to the flow start page. Some applications might require a 401 response to prompt for credentials.
To always return a 401 response when authentication headers are missing/invalid, you can either set the `X-Authentik-No-Redirect` header to any value or the query parameter `x-authentik-no-redirect` to any value.
This is the default behaviour as some applications use the Authorization header for themselves, and as such if the proxy provider would check it, these applications would be inaccessible.
### Receiving HTTP Basic authentication