31 lines
1.3 KiB
Plaintext
31 lines
1.3 KiB
Plaintext
---
|
|
title: Forward auth
|
|
---
|
|
|
|
Using forward auth uses your existing reverse proxy to do the proxying, and only uses the authentik outpost to check authentication and authorization.
|
|
|
|
To use forward auth instead of proxying, you have to change a couple of settings.
|
|
In the Proxy Provider, make sure to use one of the Forward auth modes.
|
|
|
|
## Single application
|
|
|
|
Single application mode works for a single application hosted on its dedicated subdomain. This has the advantage that you can still do per-application access policies in authentik.
|
|
|
|
## Domain level
|
|
|
|
To use forward auth instead of proxying, you have to change a couple of settings.
|
|
In the Proxy Provider, make sure to use the _Forward auth (domain level)_ mode.
|
|
|
|
This mode differs from the _Forward auth (single application)_ mode in the following points:
|
|
|
|
- You don't have to configure an application in authentik for each domain
|
|
- Users don't have to authorize multiple times
|
|
|
|
There are however also some downsides, mainly the fact that you **can't** restrict individual applications to different users.
|
|
|
|
The only configuration difference between single application and domain level is the host you specify.
|
|
|
|
For single application, you'd use the domain which the application is running on, and only `/outpost.goauthentik.io` is redirected to the outpost.
|
|
|
|
For domain level, you'd use the same domain as authentik.
|