diff --git a/docs/community/index.md b/docs/community/index.md index 33135454..b114f41b 100644 --- a/docs/community/index.md +++ b/docs/community/index.md @@ -1,7 +1,7 @@ --- layout: default title: Community -nav_order: 8 +nav_order: 9 has_children: true --- diff --git a/docs/deployment/supported-proxies/index.md b/docs/deployment/supported-proxies/index.md index a58589dc..51df1b93 100644 --- a/docs/deployment/supported-proxies/index.md +++ b/docs/deployment/supported-proxies/index.md @@ -33,6 +33,23 @@ The target URL can be provided using one of the following ways: In the case of Traefik, these headers are automatically provided and therefore don't appear in the configuration examples. +## How can the backend be aware of the authenticated users? + +The only way Authelia can share information about the authenticated user currently is through the use of two HTTP headers: +`Remote-User` and `Remote-Groups`. +Those headers are returned by Authelia on requests to `/api/verify` and must be forwarded by the reverse proxy to the backends +needing them. +Please note that the backend must support the use of those headers to leverage that information, many +backends still don't (and probably won't) support it. However, we are working on solving this issue with OpenID Connect/OAuth2 +which is a widely adopted open standard for access delegation. + +So, if you're developing your own application, you can read those headers and use them. If you don't own the codebase of the +backend, you need to check whether it supports this type of authentication or not. If it does not, you have three options: + +1. Enable authentication on the backend and make your users authenticate twice (not user-friendly). +2. Completely disable the authentication of your backend. This works only if all your users share the same privileges in the backend. +3. Many applications support OAuth2 so the last option would be to just wait for Authelia to be an OpenID Connect provider (https://github.com/authelia/authelia/issues/189). + ## Redirection to the login portal The endpoint `/api/verify` has different behaviors depending on whether diff --git a/docs/faq.md b/docs/faq.md new file mode 100644 index 00000000..bde0cb87 --- /dev/null +++ b/docs/faq.md @@ -0,0 +1,11 @@ +--- +layout: default +title: FAQ +nav_order: 8 +--- + +# Frequently asked questions + +## How can the backend be aware of the authenticated users? + +This question is solved [here](https://docs.authelia.com/deployment/supported-proxies/#how-can-the-backend-be-aware-of-the-authenticated-users). \ No newline at end of file