1
0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
authelia/docs/features/single-factor.md
ThinkChaos ba65a3db82
feat(handlers): authorization header switch via query param to /api/verify ()
* [FEATURE] Add auth query param to /api/verify ()

When `/api/verify` is called with `?auth=basic`, use the standard
Authorization header instead of Proxy-Authorization.

* [FIX] Better basic auth error reporting

* [FIX] Return 401 when using basic auth instead of redirecting

* [TESTS] Add tests for auth=basic query param

* [DOCS] Mention auth=basic argument and provide nginx example

* docs: add/adjust basic auth query arg docs for proxies

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-02-24 10:35:04 +11:00

3.0 KiB

layout title parent nav_order
default Single Factor Features 3

Single Factor

Authelia supports single factor authentication to let applications send authenticated requests to other applications.

Single or two-factor authentication can be configured per resource of an application for flexibility.

For instance, you can configure Authelia to grant access to all resources matching app1.example.com/api/(.*) with only a single factor and all resources matching app1.example.com/admin with two factors.

To know more about the configuration of the feature, please visit the documentation about the configuration.

HTTP Basic Auth

Authelia supports two different methods for basic auth.

Proxy-Authorization header

Authelia reads credentials from the header Proxy-Authorization instead of the usual Authorization header. This is because in some circumstances both Authelia and the application could require authentication in order to provide specific authorizations at the level of the application.

API argument

If instead of the Proxy-Authorization header you want, or need, to use the more conventional Authorization header, you should then configure your reverse-proxy to use /api/verify?auth=basic.
When authentication fails and auth=basic was set, Authelia's response will include the WWW-Authenticate header. This will cause browsers to prompt for authentication, and users will not land on the HTML login page.

Session-Username header

Authelia by default only verifies the cookie and the associated user with that cookie can access a protected resource. The client browser does not know the username and does not send this to Authelia, it's stored by Authelia for security reasons.

The Session-Username header has been implemented as a means to use Authelia with non-web services such as PAM. Basically how it works is if the Session-Username header is sent in the request to the /api/verify endpoint it will only respond with a sucess message if the cookie username and the header username match.

Example

These examples are for demonstration purposes only, the original use case and full instructions are described here. You will need to adjust the FORWARDED_HOST and VERIFY_URL vars to achieve a functional result.

PAM Rule

auth [success=1 default=ignore] pam_exec.so expose_authtok /usr/bin/pam-authelia

PAM Script

#!/bin/bash
# The password from stdin
PAM_PASSWORD=$(cat -)

# url from which authelia session key was created
FORWARDED_HOST=auth.example.com

# internal path to verify api
VERIFY_URL=http://127.0.0.1:80/api/verify

AUTH_RESULT=$(curl -b "authelia_session=${PAM_PASSWORD}" -H "Session-Username: ${PAM_USER}" -H "X-Forwarded-Host: ${FORWARDED_HOST}" -H "X-Forwarded-Proto: https" -s -o /dev/null -I -w "%{http_code}" -L "${VERIFY_URL}")

if [[ "$AUTH_RESULT" == 200 ]]; then
  echo "Auth verify ok"
  exit 0
else
  echo "Auth verify failed $AUTH_RESULT"
  exit 1
fi