Forward auth

[notnooblord]

Some of popular proxies have forward auth functionaly, that basically forward cookie or token (headers) to auth service.

https://doc.traefik.io/traefik/middlewares/http/forwardauth/

After parsing request headers from proxy auth service will actually decide if user is authorized and allowed to access resource, or redirect user to authentication page.

This functionality is very useful for services not compatible with oauth and hidden behind proxy.
Auth service (in our case fief) can also pass headers with groups, roles, etc so they can be used on backend that is using “forwarded auth”.

I thinks it is possible to implement forward auth as external service based on fief or directly in fief.

Thoughts ?

[fief-bailiff[bot]]

Hail, @notnooblord 👋 Welcome to Fief's kingdom!

Our team will get back to you very soon to help.

In the meantime, take a minute to star our repository ⭐️

Want to support us?

Subscribe to one of our paid plan to help us continue our work and receive exclusive information and benefits! Starts at $5/month 🪙

Farewell!

[frankie567]

Hello @notnooblord 👋

That's super interesting, and I thought about that too. I've used OAuth2 Proxy in the past with Traefik forward auth pattern and found it very neat.

I think it would be nice to have this in Fief. It would require us to:

• Implement a dedicated "forwardauth" endpoint that would:
  • Check the provided token and return the authentication headers
  • or redirect to a login flow
• This endpoint should probably accept a scope as query parameters (to ask for the right scope when authenticating user)
• Add a documentation example to show how to configure Traefik and a sample backend reading those headers

I'll add this to the backlog, really love the idea :)