*** For anyone stumbling on this post, and is as newbie as I am right now, forward auth doesn’t work with FireflyIII.

I thought that forward auth was the same as a proxy, but in this case, it is the proxy that provides the x-authentik tags.

So for Firefly, set up Authentik as a proxy provider and not a forward auth.

I haven’t figured out the rest yet, but at least, x-authentik-email is in my header now.

Good luck ***

Hello,

I am trying to setup Authentik to do a forward auth for Firefly3, using caddy. I am trying to learn External authentication so my knowledge is limited.

My setup is as follows.

By looking at the Firefly doc Firefly doc, I need to set AUTHENTICATION_GUARD=remote_user_guard AUTHENTICATION_GUARD_HEADER=HTTP_X_AUTHENTIK_EMAIL in my .env file. I used the base .env file provided by Firefly and modified only these two lines

Then, in my Authentik, I made a forward auth for a single application for firefly. This part seem to work because the redirection is made. The external host is my Firefly ip address.

Then from the example provided in the Authentik provider, I created my caddy file on the Firefly container to redirect port 80 to my custom port 9080.

:80 {
        # directive execution order is only as stated if enclosed with route.
        route {
                # always forward outpost path to actual outpost
                reverse_proxy /outpost.goauthentik.io/* http://10.0.1.7:9080

                # forward authentication to outpost
                forward_auth http://10.0.1.7:9080 {
                        uri /outpost.goauthentik.io/auth/caddy

                        # capitalization of the headers is important, otherwise they will be empty
                        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Me>

                        # optional, in this config trust all private ranges, should probably be set to the outposts IP
                        trusted_proxies private_ranges
                }

        }
}

EDIT : The IP address of Firefly is 10.0.1.8

When I try to go on my Firefly app, the Authentik redirection is made and it tries to connect to the Firefly webpage,but I either get unable to connect when I try the https, or Looks like there’s a problem with this site when I try to connect with http.

I see that the connection is refused in both case.

I made sure that my email on my account on firefly matches the email from the Authentik user.

I tried googling my problem to no avail and the Firefly documentation is pretty scarce.

Any help would be welcome.

  • just_another_person@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    3 days ago

    We need networking info to be able to tell what is happening here. If you didn’t change the “outpost_ip” placeholder, that’s your problem.

    Best to not use hostnames. Use the actual IP address.

    • Croquette@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 days ago

      I edited the post. Since it’s all local it’s fine to show the IP. It’s just a reflex to hide my ips.

      I use IP directly as I don’t have a local domain configured properly.

      The outpost ip in my configuration file is the same provided in the outpost on Authentik.

      I am trying to get it to work still, but I am pretty sure that the issue is between Authentik and Firefly.

      I don’t see any of the headers (x-authentik-email more specifically) specified in the caddy file when Authentik is sending the request to Firefly. The only header I see is x-authentik-auth-callback.

      I am not sure how I can specify which headers are sent in Authentik.