1
Authelia: Dynamically checking if auth needed based on request? (alien.top)
submitted 1 year ago by softwareguy74@alien.top to c/main@selfhosted.forum
4 comments fedilink hide all child comments

I'm building a multi tenant SaaS offering on top of Kubernetes. My understanding is that Authelia runs at the ingress/proxy layer (nginx, traefik, etc) before hitting the app service.

I like this idea since you technically would not have to build anything directly in each of the apps to handle authentication. However, because of the dynamic nature of this SaaS I need to have a layer in there somewhere that can first query something (API, database, cache,etc) that based on data from the incoming request would tell authelia if auth is required or not.

Is this possible with authelia? If so, any examples of how this might work?

top 4 comments
sorted by: hot top controversial new old
[-] probablyjustpaul@alien.top 1 points 1 year ago

Authelia can operate at the proxy level as you said, but it can also work at the application level. Authelia implements the OpenIDConnect standard which is designed first as a way for applications to authenticate users using client side redirects.

My recommendation would be to build (or potentially find) a piece of middleware that performs your API/DB query and then redirects to Authelia based on the response. Depending on what proxy/LB you're using it might even support this natively

[-] lilolalu@alien.top 1 points 1 year ago

Can you not just send the users request to two different URL, based on the decision if it needs auth or not? That would not be authelias task but your internal url routers. Authelia would handle the authentication on the path that requires auth and your proxy would directly serve the "open" content. The logic would have to take place in your app.

myapp.org/ checks what it's going to be

myapp.org/secret/ serves content you need to be authenticated for

myapp.ort/open/ serves content that doesn't need auth.

[-] softwareguy74@alien.top 1 points 1 year ago

So the url can be anything and would not be known ahead of time if it is secure or not, because we allow the user to set a flag on that "resource" which is database driven. So, if someone goes to myapp.com/path1 right now, it may allow anonymous but 10 minutes later may require authentication. So we can't hardcode paths in authelia ahead of time.

I'm thinking more about this, sounds like we need something in FRONT of authelia for this, right? So whatever that thing is, will forward to authelia or not.

[-] lilolalu@alien.top 1 points 1 year ago

I think that authelia is not really made for this scenario, so if you want to use authelia, I think you would have to loop back to before authelia and redirect to the different (auth / non-auth) urls.

I am pretty sure though you are not the first person to have this requirement so probably there is a better solution, but I would have no idea what to search for.

Generally speaking most proxies like haproxy or nginx are scriptable (HAproxy via Lua for example) so maybe that's something you could let ok into. This article sounds s bit like your scenario:

https://www.egnyte.com/blog/post/dynamic-backends-in-haproxy-with-lua

this post was submitted on 19 Oct 2023
1 points (100.0% liked)

Self-Hosted Main

504 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
communick@selfhosted.forum