obligator icon indicating copy to clipboard operation
obligator copied to clipboard
verified publisher icon lastlogin-io

Using Obligator to protect apps

Open MitPitt opened this issue 2 years ago • 7 comments

Currently I am using Authentik to protect my apps. It is too slow and I would like to use Obligator instead. As I understand it, forward auth is the needed feature for this kind of stuff. But I can't wrap my head around what settings I need to specify in my reverse proxy.

I'm using Authentik with Caddy and this setup: https://docs.goauthentik.io/docs/providers/proxy/server_caddy

This way, when someone tries to access an app, he is first redirected to an outpost, where he must login.

Please let me know if this is possible to do with Obligator

MitPitt avatar Mar 31 '24 16:03 MitPitt

Hey @MitPitt, forward auth should be what you want. This functionality is currently broken in obligator (it's not used by LastLogin), but it should be pretty easy for me to fix. The settings should be almost the same as Authentik. Do you know what Authentik headers you're currently making use of?

anderspitman avatar Apr 01 '24 23:04 anderspitman

I'm protecting a dashboard and some other static pages, which do not require authorization. Hence I am not making use of any headers. Just protecting the dashboard with an authentication layer.

In the Caddy config I linked above, the uri /outpost.goauthentik.io/auth/caddy looks like a feature of Authentik which seems to autofill the auth request. Obligator should have something similar.

MitPitt avatar Apr 01 '24 23:04 MitPitt

Ah ok you should be good to go then. Just use the /validate endpoint on the obligator server. Note that vouch might be a more battle-tested alternative that will work for you.

anderspitman avatar Apr 02 '24 18:04 anderspitman

@MitPitt I just did a new beta release so you don't have to build manually if you wanted to try this.

anderspitman avatar Apr 02 '24 18:04 anderspitman

Would you also mind building a docker image please? I noticed that latest image on docker hub is 6 months old now

MitPitt avatar Apr 02 '24 20:04 MitPitt

I tried running the binary now with ./obligator-linux-x64-0.2.0 -storage-dir ./data -root-uri https://obligator.mywebsite.com -port 1616 -api-socket-dir ./api

Now it shows 404 page not found when I visit obligator.mywebsite.com. This doesn't happen when I run the binary of previous version (Beta 0.1.0) in the same way.

I also tried the following Caddyfile:

obligator.mysebsite.com {
    reverse_proxy localhost:1616
}

mysebsite.com {
    reverse_proxy /auth* http://obligator.mysebsite.com:1616

    forward_auth http://obligator.mysebsite.com:1616 {
        uri /validate
    }

    # the app i'm protecting
    reverse_proxy localhost:1234 
}

Shows client_id missing at https://obligator.mysebsite.com/auth?client_id=&redirect_uri=&response_type=code&state=&scope=

MitPitt avatar Apr 08 '24 13:04 MitPitt

Hey @MitPitt, sorry I'm traveling at the moment, but I'll take a look at this when I get back.

anderspitman avatar Apr 10 '24 13:04 anderspitman