permacomputing

commit 01e1957372242880bac589d329dfc45e3a6c5159
parent e16cf40dfbaf4cb1100f8e9e1b15da709393c277
Author: decentral1se <decentral1se@web>
Date:   Sat,  4 Apr 2026 12:21:58 +0200

feat: rauthy arbitrary sso

Diffstat:
M
eik.mdwn
 | 
49
+++++++++++++++++++++++++++++++++++++++++++++++++

1 file changed, 49 insertions(+), 0 deletions(-)
diff --git a/eik.mdwn b/eik.mdwn
@@ -232,3 +232,52 @@ Rauthy runs under the `rauthy` user, please prefix your commands with `sudo -su 
 ### Admin
 
 See the config.toml for the fallback admin email. Ask in Toolshed for the password. You can also create an account and be upgraded to administrator by applying the "rauthy_admin" role on user creation.
+
+### Arbitrary single sign-on
+
+It is possible to configure `nginx` to use the [`forward auth`](https://sebadob.github.io/rauthy/work/forward_auth.html#advanced-forward-auth) feature of `rauthy`. This means, you can put anything you serve on `nginx` behind a single sign-on.
+
+This avoids us having to hand out a HTTP basic auth username/password on top of the username/password that people configured for the specific application themselves. If this doesn't make any sense already then you know we had to change it. We have had several reports that this is super confusing and just stopping people logging in to our digital tools.
+
+The configuration is fairly hairy but once you get it, you get it. And yes, if `rauthy` is down, there is no access. It's as solid as HTTP basic auth. The `rauthy` [docs](https://sebadob.github.io/rauthy/work/forward_auth.html#advanced-forward-auth) cover it but the TLDR; if you're moving fast:
+
+* Create a non-confidential client on Rauthy with the correct allowed origin (the URL you want to protect) and redirect URI (the URL you want to protect + /callback)
+* Disable PKCE in the Rauthy web client UI
+* Configure your Nginx configuration roughly like below. Refer to [the rauthy docs](https://sebadob.github.io/rauthy/work/forward_auth.html#advanced-forward-auth) for full context and tips. Please note, `<YOUR-CLIENT-ID>` must be replaced in the minimal configuration example below.
+
+Here's an example `nginx` configuration.
+    
+    upstream rauthy {
+      server 127.0.0.1:8080 fail_timeout=5;
+    }
+
+    location /auth {
+      internal;
+
+      proxy_set_header X-Original-URI $request_uri;
+      proxy_set_header X-Forwarded-Method $request_method;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $http_host;
+      proxy_set_header X-Forwarded-URI $request_uri;
+
+      proxy_set_header Content-Length "";
+      proxy_set_header Connection "";
+      proxy_pass_request_body off;
+
+      proxy_pass http://rauthy/auth/v1/clients/<YOUR-CLIENT-ID>/forward_auth?danger_cookie_insecure=true;
+    }
+
+    location = /callback {
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $http_host;
+      proxy_pass http://rauthy/auth/v1/clients/<YOUR-CLIENT-ID>/forward_auth/callback?$args;
+    }
+    
+    location / {
+        auth_request /auth;
+        auth_request_set $redirection_url $upstream_http_location;
+        error_page 401 =302 $redirection_url;
+
+        # NOTE(d1): finally, serve your webshit
+        try_files $uri $uri/ =404;
+    }