Traefik + TinyAuth + PocketID issues
from meathappening@lemmy.ml to selfhosted@lemmy.world on 01 Apr 17:20
https://lemmy.ml/post/45327843

I’m using TinyAuth for forwardauth but the service I’m trying to use consistently is saying the headers are not set (and I can verify, they’re not there.)

Traefik: in static config

entryPoints:
  web:
    address: ':80'
    transport:
      respondingTimeouts:
        readTimeout: 600s
        idleTimeout: 600s
        writeTimeout: 600s
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ':443'
    http:
      tls:
        certResolver: letsencrypt
        domains:
          - main: domain.tld
            sans:
              - '*.domain.tld'
    forwardedHeaders:
      trustedIPs:
        - [TinyAuth IP]

in dynamic config:

   tinyauth-auth:
     forwardAuth:
       address: "http://[TinyAuth IP]:3000/api/auth/traefik"
       trustForwardHeader: true
       authResponseHeaders:
         - Remote-User
         - Remote-Groups
         - Remote-Name
         - Remote-Email

This is set as a middleware in the app I’m trying to use.

in tinyauth:

TINYAUTH_APPURL=https://tinyapp.domain.tld/
TINYAUTH_AUTH_TRUSTEDPROXIES=[Traefik IP]
TINYAUTH_APPS_APP_CONFIG_DOMAIN='app.domain.tld'
TINYAUTH_APPS_APP_RESPONSE_HEADERS='Remote-User,Remote-Email,Remote-Group,Remote-Name,X-Remote-Name,X-Remote-User,X-Remote-Group,X-Remote-Email,Forwarded-Host,Forwarded-URI'

(I kept adding response headers hoping something would change)

PocketID is set as an OAuth provider and seems to be working fine, but I can provide further detail if needed.

Curiously, I tried changing the address in the traefik config to “tinyauth.domain.tld” and the headers came through properly, but the redirect went to tinyauth.domain.tld/api/auth/traefik.

I think this is actually my issue but they never posted their solution.

#selfhosted

threaded - newest

kat@lemmy.blehiscool.com on 01 Apr 18:42 next collapse

If you point Traefik’s forwardAuth at the internal service (e.g. http://<tinyauth-ip>:3000/api/auth/traefik), TinyAuth doesn’t see the correct X-Forwarded-* headers or original host, so it won’t return the auth headers properly.

if you switch to using the public URL instead, the headers should start working — but only once using the full endpoint:

tinyauth.domain.tld/api/auth/traefik

Not just the root URL.

That way:

  • the request goes through Traefik
  • forwarded headers are correct
  • TinyAuth trusts the proxy
  • and it returns the expected headers

Also worth double-checking that your header names match exactly (e.g. Remote-Groups vs Remote-Group).

So in short: don’t call TinyAuth directly by IP, go through the domain + correct path.

meathappening@lemmy.ml on 01 Apr 19:01 collapse

So that’s what I did in that bottom section–I should have been more clear, I used the full path and not just tinyauth.domain.tld. The redirect was broken.

Additionally, when I was trying to figure this out, I came across this bug report, where the author specifically says not to do that.

I assume this is easy but I have no experience with forwardauth. Thanks so much for your help.

And good catch on that groups/group issue.

JC1@lemmy.ca on 03 Apr 01:07 collapse

By curiosity, since you’re already using Traefik and Pocket ID, what does Tinyauth provide? Traefik can already do forward auth through a plugin. It redirect to picket ID directly

meathappening@lemmy.ml on 03 Apr 02:31 collapse

Just preference using Tinyauth over the plugin. It’s got a beautiful login screen.

tinyauth.app/tinyauth-dark.png