I have recently discovered Authelia, which works with a reverse proxy (Traefik, in my case) to provide authentication and authorisation.
If an application supports it, it’s very elegant - the reverse proxy takes care of all the authentication and session data, and the application just needs to pay attention to HTTP headers (Remote-User, primarily) to know who is currently logged in.
Would be great if reverse proxy header authentication could be added to the roadmap!
There’s been an attempt in the past to add that here and here. Unfortunately that has gone stale, if anyone wants to pick it up I’m all open for it.
Sorry, I think I might have have caused confusion by describing the auth method incorrectly.
“Forward auth” is what I’m after. This can be provided by Authelia or Authentik. Those PRs were for Pomerium, which works differently.
So the Vikunja API would only need to verify if the headers Authelia / Authentik sends through the proxy are correct and use the user provided in them?
That’s correct. The idea is that the service (in this case Vikunja) is never exposed to the Internet so it can implicitly trust the headers being passed to it by Traefik/Authelia. APIs are an exception - they tend to handle authentication differently e.g. with a key or token so they can bypass Authelia.
With regards to user management, I’ve seen two ways of it being handled. One way is for the service to automatically create a new user if it receives a Remote-User header it has never seen before. The other way is to require an account to be manually created first.