Allow Forward Auth / SSO using Remote-user header
James Mills
This is basically the same as in this thread (https://requarks.canny.io/wiki/p/proxy-authentication), so yes please. I also use Authelia and setting up OIDC is just a bit too much effort. +1
M
Michael
This would be awesome for Authelia support...
braniqvranik
Nicolas Giard Yes, I would definitely like this feature to be present in WikiJS - HTTP header authentication.
I've setup this in Authelia that provides me with 2FA and passes user+password to Guacamole (basic auth + http header extension) which works great.
Authelia passes it as Remote-User, and there is only one property to setup in guacamole.properties ->
http-auth-header Remote-User
If wikijs behaves the same and there is a possibility to setup, you can then leave the authentication stuff with Authelia, that extends the authentication providers list you don't want to implement in wikijs, e.g. DUO.
Nicolas Giard
Merged in a post:
intranet connection
Krogath
Is it possible to have auto connection with ldpa on local network?
Brian
This would be very useful
Nicolas Giard
Does the Remote-User header contains the user email address?
Lennard Röttjers
Nicolas Giard: Generally the header will contain either the dn or the uid field. However I know that gitea/gogs also has a header for the email field.
If my ldap uid would be
lrottjers
the header would be Remote-User: lrottjers
. Wikijs is configured to use this search filter (&(objectClass=inetOrgPerson)(uid={{username}}))
and would find my user if {{username}} was replaced by the value of the header.Here is the implementation of gitea:
They check if the "ReverseProxyAuth" option is enabled. Retrieve the uid from the header. Find the user, and log them in.
Brian
Nicolas Giard: Is there a work around for this? I noticed https://github.com/Requarks/wiki/issues/896
m00nwtchr
Nicolas Giard: No, but e.g. Authelia also provides a
Remote-Email
header