feat(forward-auth): add Ignored Paths #1210
Conversation
…th prefixes) Implements the reviewed direction for the Authentik single-application redirect loop (tobychui#895): instead of an Authentik-specific preset, add a generic, comma-separated "Ignored Paths" list to the (global) Forward Auth settings. Any request whose path falls within one of these prefixes bypasses the forward auth check entirely. For Authentik per-app mode you set this to /outpost.goauthentik.io so the OAuth callback reaches the outpost instead of looping. Matching is hardened (decoded + path.Clean + boundary checked) against path traversal and prefix-boundary tricks; empty entries are skipped so a stray comma cannot disable auth site-wide. - forward/const.go: ignoredPaths DB key - forward/forward.go: IgnoredPaths option; load / GET / POST / DELETE / log - forward/ignoredpaths.go: hardened matcher + IsIgnoredPath (+ unit tests) - dynamicproxy/authProviders.go: handleForwardAuth skips auth for ignored paths - web/sso.html: Ignored Paths field under Advanced Options, with a warning Refs tobychui#895 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Ignored Paths help/warning was a Semantic UI .warning.message inside the form, which Semantic UI hides by default, so the field rendered with nothing below it. Use an always-visible <small> for the description + Authentik suggestion, plus a forced-visible (.visible) warning message for the no-auth security warning. Also add an Authentik single-application hint under the Address field pointing to Ignored Paths and the required virtual directory. Refs tobychui#895 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
tobychui
left a comment
tobychui
left a comment
There was a problem hiding this comment.
LGTM, even path traversal attack is properly handled so I think this should be ready to merge. I will wait for @james-d-elliott final review before merging this.
|
@tobychui The CI is currently failing, but the reported test failures don't appear to be related to my changes. Is the CI expected to pass, or are these known/pre-existing issues? On a side note, what do you think about an option to directly enable the vdir fir forward auth, as described here: #1210 |
|
@CrazyWolf13 Yes I don't have time to fix the CI recently, so ignore that for now. I am not sure about that since I am also new to forward auth, maybe James can provide some idea on this? |
|
Thanks for the reviews, @tobychui and @james-d-elliott, appreciate it! An open-question for a follow-up PR (or this one if desired): Now that Ignored Paths is approved: Authentik single-app users still have to add the What do you think about this @james-d-elliott? |
|
Yeah I think this is a good idea. Would be advisable to carefully check if a vdir exists first. This would be applicable to any forward auth. Maybe a button on this page to auto create them if not existing? Or a way to bulk create vdirs from another page? Forgive me I'm not super familiar with each area of zoraxy. I lean towards a page that handles the vdirs already, and giving a link to that from forward auth, if that makes sense. If you can create a reusable component that is always preferable to one that's super special. That all said maybe something along the lines of:
|
|
Thanks, sounds like a reasonable approach to me! What do you think of this @tobychui, e.g. where would you think is the best place this would fit? |
|
Yeah a separate PR makes perfect sense. Will be merging this now. |
3 participants
What this does
Fixes the Authentik single-application forward-auth redirect loop (#895) by adding a generic Ignored Paths option to the (global) Forward Auth settings, a comma-separated list of request path prefixes that bypass the forward-auth check entirely.
Setup (Authentik single-application mode)
/outpost.goauthentik.io/outpost.goauthentik.io-><authentik-host>:9000/outpost.goauthentik.io(Require TLS off) on each protected host, routes the OAuth callback to the outpost.Both the Address and Ignored Paths fields carry inline notes guiding this, so it should be self-explanatory and no wiki page should be needed.
Warning
Paths in Ignored Paths get no authentication whatsoever — any request whose path starts with one of those prefixes bypasses Forward Auth entirely. Only list auth-callback paths (e.g.
/outpost.goauthentik.io) or paths you intentionally want public. (This warning is also shown in the UI next to the field.)Implementation (AI-Assisted:)
forwardpackage: newIgnoredPathsoption (load / GET / POST / DELETE / log) +IsIgnoredPath()withhardened, normalized matching (decoded +
path.Clean+ boundary check) so../%2e%2etraversal and prefix-boundarytricks can't bypass auth on unintended paths. Empty entries are skipped so a stray comma can't disable auth
site-wide.
dynamicproxy/authProviders.go:handleForwardAuthreturns early for ignored paths — modeled on the existingZorxAuthExceptionRulespattern. ~6 lines, noServer.go/routing changes, so it stays clear of the dynamic-proxywork on
v3.3.4.web/components/sso.html: Ignored Paths field under Advanced Options, with the inline warning + Authentik hint.Testing
test seem to pass, builds fine and I tested this build succesfully for multiple hours and will keep it live in my homelab, though I'd appreciate any testing!
Open question
Currently the
/outpost.goauthentik.iovdir needs to be added manually per host.I'd happily add a tickbox or similar to automatically handle this, but I first wanted to hear your opinion on this and kept the PR to a basic level.
Note
I'm not a professional dev and this was written largely with AI assistance. I'd be very happy if you @james-d-elliott could take a look and give it a thorough review!
Should resolve #895