outposts/proxy: allow setting no-redirect via header or query param
closes #4455 Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
75d4246b79
commit
19ee98b36d
|
@ -35,7 +35,8 @@ func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
|
|||
if err != nil {
|
||||
a.log.WithError(err).Warning("failed to decode session")
|
||||
}
|
||||
if r.Header.Get(constants.HeaderNoRedirect) == "true" {
|
||||
if r.Header.Get(constants.HeaderNoRedirect) != "" ||
|
||||
r.URL.Query().Get(strings.ToLower(constants.HeaderNoRedirect)) != "" {
|
||||
rw.WriteHeader(401)
|
||||
er := a.errorTemplates.Execute(rw, ErrorPageData{
|
||||
Title: "Unauthenticated",
|
||||
|
|
|
@ -21,7 +21,11 @@ If the user does not have a matching attribute, authentik falls back to using th
|
|||
|
||||
## Receiving authentication
|
||||
|
||||
It is recommended to set the `X-Authentik-No-Redirect` header to `true` to prevent redirects when sending requests via the below methods. This prevents additional load when unauthenticated requests are retried and all get redirected to a flow executor.
|
||||
By default, when the proxy provider receives credentials that aren't valid for itself, it will start a normal authentication flow, and redirect to the flow start page. Some applications might require a 401 response to prompt for credentials.
|
||||
|
||||
To always return a 401 response when authentication headers are missing/invalid, you can either set the `X-Authentik-No-Redirect` header to any value or the query parameter `x-authentik-no-redirect` to any value.
|
||||
|
||||
This is the default behaviour as some applications use the Authorization header for themselves, and as such if the proxy provider would check it, these applications would be inaccessible.
|
||||
|
||||
### Receiving HTTP Basic authentication
|
||||
|
||||
|
|
Reference in a new issue