Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement]: Support Reverse Proxy Authentication / Forward Authentication #3936

Open
balki opened this issue Feb 5, 2025 · 2 comments
Open

[Enhancement]: Support Reverse Proxy Authentication / Forward Authentication #3936

balki opened this issue Feb 5, 2025 · 2 comments
Labels
backlog Feature is not planned at the moment enhancement New feature or request

Comments

@balki
Copy link

balki commented Feb 5, 2025

Type of Enhancement

Server Backend

Describe the Feature/Enhancement

Add a new type of authentication called Reverse Proxy Authentication.
When this type is enabled and the http request contains a header X-WEBAUTH-USER, if the user exists in abs, automatically login the user.

For ref: gitea supports this: https://docs.gitea.com/administration/authentication#reverse-proxy

Why would this be helpful?

tailscale and similar mesh networks are popular with selfhosters. In those cases the device is already authenticated with wireguard. Additional passwords or authentication is not needed. Example caddy(a reverse proxy web server) config:

audiobookshelf.example.com {
    @alice_phone client_ip 100.64.68.1
    @alice_lap client_ip 100.64.68.2
    @bob_phone client_ip 100.64.68.3

    @not_ts not client_ip 100.64.0.0/16
    
    request_header @alice_phone X-WEBAUTH-USER alice
    request_header @alice_lap X-WEBAUTH-USER alice
    request_header @bob_phone X-WEBAUTH-USER bob

   # Remove for others
    request_header @not_ts -X-WEBAUTH-USER

   reverse_proxy 127.0.0.1:5678
}

Future Implementation (Screenshot)

Just another checkbox in the list of supported authentication methods

Audiobookshelf Server Version

v2.19.0

Current Implementation (Screenshot)

I am not sure if this is already possible with OIDC or with the pull #3302 . If so, please document what is the header that needs to be set.
@balki balki added the enhancement New feature or request label Feb 5, 2025
@advplyr advplyr changed the title [Enhancement]: Support Reverse Proxy Authentication [Enhancement]: Support Reverse Proxy Authentication / Forward Authentication Feb 5, 2025
@advplyr
Copy link
Owner

advplyr commented Feb 5, 2025

I've not heard this called reverse proxy authentication before. We've discussed this a few times as "forward authentication".

This isn't planned to be implemented for the reasons explained here #2189 (comment)

Basically we wouldn't be able to implement this cleanly/securely in the mobile apps.
And we already support OIDC which can be used to roll your own auth. Supporting this would add complexity to our existing auth setup.

@advplyr advplyr added the backlog Feature is not planned at the moment label Feb 5, 2025
@balki
Copy link
Author

balki commented Feb 5, 2025

@advplyr Just to be clear, I am not requesting 'forward authentication' here. reverse proxy auth is very simple.

# pseudocode
if (settings.reverse_proxy_auth_enabled && request.hasHeader('X-WEBAUTH-USER') {
user = request.headers['X-WEBAUTH-USER']
}

Should just work great for mobile apps and any other clients too. There is no extra settings, no separate authentication server, no cookies, no redirection, no logout etc. I don't think any of the concerns of forward_auth will apply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog Feature is not planned at the moment enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@balki @advplyr