I’m using TinyAuth for forwardauth but the service I’m trying to use consistently is saying the headers are not set (and I can verify, they’re not there.)

Traefik: in static config

entryPoints:
  web:
    address: ':80'
    transport:
      respondingTimeouts:
        readTimeout: 600s
        idleTimeout: 600s
        writeTimeout: 600s
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ':443'
    http:
      tls:
        certResolver: letsencrypt
        domains:
          - main: domain.tld
            sans:
              - '*.domain.tld'
    forwardedHeaders:
      trustedIPs:
        - [TinyAuth IP]

in dynamic config:

   tinyauth-auth:
     forwardAuth:
       address: "http://[TinyAuth IP]:3000/api/auth/traefik"
       trustForwardHeader: true
       authResponseHeaders:
         - Remote-User
         - Remote-Groups
         - Remote-Name
         - Remote-Email

This is set as a middleware in the app I’m trying to use.

in tinyauth:

TINYAUTH_APPURL=https://tinyapp.domain.tld/
TINYAUTH_AUTH_TRUSTEDPROXIES=[Traefik IP]
TINYAUTH_APPS_APP_CONFIG_DOMAIN='app.domain.tld'
TINYAUTH_APPS_APP_RESPONSE_HEADERS='Remote-User,Remote-Email,Remote-Group,Remote-Name,X-Remote-Name,X-Remote-User,X-Remote-Group,X-Remote-Email,Forwarded-Host,Forwarded-URI'

(I kept adding response headers hoping something would change)

PocketID is set as an OAuth provider and seems to be working fine, but I can provide further detail if needed.

Curiously, I tried changing the address in the traefik config to “https://tinyauth.domain.tld/” and the headers came through properly, but the redirect went to https://tinyauth.domain.tld/api/auth/traefik.

I think this is actually my issue but they never posted their solution.

  • kat@lemmy.blehiscool.comEnglish
    2·
    2 hours ago

    If you point Traefik’s forwardAuth at the internal service (e.g. http://<tinyauth-ip>:3000/api/auth/traefik), TinyAuth doesn’t see the correct X-Forwarded-* headers or original host, so it won’t return the auth headers properly.

    if you switch to using the public URL instead, the headers should start working — but only once using the full endpoint:

    https://tinyauth.domain.tld/api/auth/traefik

    Not just the root URL.

    That way:

    • the request goes through Traefik
    • forwarded headers are correct
    • TinyAuth trusts the proxy
    • and it returns the expected headers

    Also worth double-checking that your header names match exactly (e.g. Remote-Groups vs Remote-Group).

    So in short: don’t call TinyAuth directly by IP, go through the domain + correct path.

    • meathappening@lemmy.mlOPEnglish
      1·
      2 hours ago

      So that’s what I did in that bottom section–I should have been more clear, I used the full path and not just https://tinyauth.domain.tld/. The redirect was broken.

      Additionally, when I was trying to figure this out, I came across this bug report, where the author specifically says not to do that.

      I assume this is easy but I have no experience with forwardauth. Thanks so much for your help.

      And good catch on that groups/group issue.