[DOCS] Introduce an FAQ and document forwarded authentication. (#962)

* add FAQ docs section
* add forwarded authentication section to deployments > supported proxies
* apply suggestions from code review

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
This commit is contained in:
Clément Michaud 2020-05-03 05:18:13 +02:00 committed by GitHub
parent be0cc72473
commit da5c722cf8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 1 deletions

View File

@ -1,7 +1,7 @@
---
layout: default
title: Community
nav_order: 8
nav_order: 9
has_children: true
---

View File

@ -33,6 +33,23 @@ The target URL can be provided using one of the following ways:
In the case of Traefik, these headers are automatically provided and therefore don't
appear in the configuration examples.
## How can the backend be aware of the authenticated users?
The only way Authelia can share information about the authenticated user currently is through the use of two HTTP headers:
`Remote-User` and `Remote-Groups`.
Those headers are returned by Authelia on requests to `/api/verify` and must be forwarded by the reverse proxy to the backends
needing them.
Please note that the backend must support the use of those headers to leverage that information, many
backends still don't (and probably won't) support it. However, we are working on solving this issue with OpenID Connect/OAuth2
which is a widely adopted open standard for access delegation.
So, if you're developing your own application, you can read those headers and use them. If you don't own the codebase of the
backend, you need to check whether it supports this type of authentication or not. If it does not, you have three options:
1. Enable authentication on the backend and make your users authenticate twice (not user-friendly).
2. Completely disable the authentication of your backend. This works only if all your users share the same privileges in the backend.
3. Many applications support OAuth2 so the last option would be to just wait for Authelia to be an OpenID Connect provider (https://github.com/authelia/authelia/issues/189).
## Redirection to the login portal
The endpoint `/api/verify` has different behaviors depending on whether

11
docs/faq.md Normal file
View File

@ -0,0 +1,11 @@
---
layout: default
title: FAQ
nav_order: 8
---
# Frequently asked questions
## How can the backend be aware of the authenticated users?
This question is solved [here](https://docs.authelia.com/deployment/supported-proxies/#how-can-the-backend-be-aware-of-the-authenticated-users).