providers/proxy: add token support for basic auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-02-07 22:50:49 +01:00
parent 555b33c252
commit 3170b2f92c
No known key found for this signature in database
4 changed files with 12 additions and 2 deletions

View File

@ -28,7 +28,7 @@ func (a *Application) checkAuth(rw http.ResponseWriter, r *http.Request) (*Claim
bearer := a.checkAuthHeaderBearer(r) bearer := a.checkAuthHeaderBearer(r)
if bearer != "" { if bearer != "" {
a.log.Trace("checking bearer token") a.log.Trace("checking bearer token")
tc := a.attemptBearerAuth(r, bearer) tc := a.attemptBearerAuth(bearer)
if tc != nil { if tc != nil {
return a.saveAndCacheClaims(rw, r, tc.Claims) return a.saveAndCacheClaims(rw, r, tc.Claims)
} }

View File

@ -14,7 +14,15 @@ type TokenResponse struct {
IDToken string `json:"id_token"` IDToken string `json:"id_token"`
} }
const JWTUsername = "goauthentik.io/token"
func (a *Application) attemptBasicAuth(username, password string) *Claims { func (a *Application) attemptBasicAuth(username, password string) *Claims {
if username == JWTUsername {
res := a.attemptBearerAuth(password)
if res != nil {
return &res.Claims
}
}
values := url.Values{ values := url.Values{
"grant_type": []string{"client_credentials"}, "grant_type": []string{"client_credentials"},
"client_id": []string{a.oauthConfig.ClientID}, "client_id": []string{a.oauthConfig.ClientID},

View File

@ -27,7 +27,7 @@ type TokenIntrospectionResponse struct {
ClientID string `json:"client_id"` ClientID string `json:"client_id"`
} }
func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenIntrospectionResponse { func (a *Application) attemptBearerAuth(token string) *TokenIntrospectionResponse {
values := url.Values{ values := url.Values{
"client_id": []string{a.oauthConfig.ClientID}, "client_id": []string{a.oauthConfig.ClientID},
"client_secret": []string{a.oauthConfig.ClientSecret}, "client_secret": []string{a.oauthConfig.ClientSecret},

View File

@ -41,6 +41,8 @@ If the received credentials are invalid, a normal authentication flow is initiat
It is **strongly** recommended that the client sending requests with HTTP-Basic authentication persists the cookies returned by the outpost. If this is not the case, every request must be authenticated independently, which will increase load on the authentik server and encounter a performance hit. It is **strongly** recommended that the client sending requests with HTTP-Basic authentication persists the cookies returned by the outpost. If this is not the case, every request must be authenticated independently, which will increase load on the authentik server and encounter a performance hit.
::: :::
Starting with authentik 2023.2, logging in with the reserved username `goauthentik.io/token` will behave as if a bearer token was used. All the same options as below apply. This is to allow token-based authentication for applications which might only support basic authentication.
### Receiving HTTP Bearer authentication ### Receiving HTTP Bearer authentication
:::info :::info