Remote-User header

[WilliamB78]

Hello !!

First of all, thanks for this project, and also well done !

I am currently testing it in place of oauth2-proxy in my homelab, and so far so good !

As the title mentions, I am wondering if you'd take a PR to add the Remote-User header, i simply added it and it works well for my configuration (Generic Oauth with Zitadel, Remote-User added to traefik authresponseheader), but i don't know how it works with github or google !

Check this out : WilliamB78@1aa9dda

And tell me what you think of this !

Thanks :)

[steveiliop56]

Hello, I would happily approve a pull request! This looks interesting as a lot of similar projects do the same so it would be a nice addition for tinyauth.

[WilliamB78]

Hey @steveiliop56 !

Thanks for accepting my PR !

I am a bit concerned about the name you chose for the header. The name X-Tinyauth-User is a custom one and do not respect the RFC 3875 as mentionned here : Firefly-III Docs. The same header (Remote-User) is also used in Django.

It can be changed with some trickery : you install the header transformer plugin for traefik, but it involves too much config for my taste (but it was what i did when i was using Oauth2-proxy).

What do you think about implementing a config in your project to customize the header name with an env var, check what i did in my fork : main...WilliamB78:tinyauth:main

Thanks again for the project and your time !

[steveiliop56]

Hello,

I was mostly inspired by x-authentik-user and it actually does follow rfc since the x means it is not a default but a custom app's header. If it's a pain to use I can change it back though.

[WilliamB78]

What do you think about my modification ?

The default value is x-tinyauth-user, but you can change this if you set the REMOTE_USER_HEADER_NAME to the value you need

[steveiliop56]

I am not really sure if I should add another environment variable. I will look into it though. I will probably change it back to Remote-User.

[steveiliop56]

Soo I decided to use remote-user 631059b to ensure compatibility. Hope that covers your use case.

[pretzelise]

This has been working wonderfully so far, thank you for implementing this 🙂

One thing I noticed is when using OAuth to sign in, the Remote-User header is set to the users email address. While this works beautifully in most cases, it's not very useful for services like Gogs where the Remote-User header is expected to be a username instead of an email address.

Since the Remote-User header seems to work fine with Gogs for non-OAuth users, I was wondering if it's possible to "link" a non-OAuth user to an OAuth email, such that the Remote-User header is set to the non-OAuth username when the OAuth method is used?

Basically:

1. user1 is a non-OAuth user and is linked to [email protected]
2. Person logs in using [email protected] via Google OAuth
3. Tinyauth logs the user in as user1 instead of the OAuth email

If this isn't an option in Tinyauth, could this be achievable externally through something like Caddy?

[steveiliop56]

Hello,

Instead of linking we could just strip out the domain, like if it's [email protected] I remove the Gmail and make it someone. What do you think?

[pretzelise]

Would this mean someone is shared between [email protected] and, for example, [email protected] ?

[steveiliop56]

Oh didn't thought of that. What about adding a dash? E.g. someone-gmail

[pretzelise]

It would be handy if there was a way to define what the username should be for a particular OAuth email separate from the email itself. Maybe an environment variable?

For example, my housemate has their address set up as [email protected] so their username by default would end up being mail-example. Could there be an environment variable like [email protected]:steven to define their username as steven?

I think the default behaviour when OAUTH_USERNAMES is unset should be to automatically create the name as you described above (or continue to use the email address as it is now), but it would be really handy to overrule it.

[need4swede]

Ya'll seem to understand this stuff better than I do!

I've configured tinyauth with Microsoft OAuth. I can login just fine - the integration works.
But I want to pass headers like user email, user name, etc. to my app, but I can't figure out how I can get this info from tinyauth.

I'm using caddy, and I've tried:

(tinyauth_forwarder) {
    forward_auth <ip>:<port> {
        uri /api/auth
        copy_headers Remote-Email Remote-Name Remote-User Remote-Groups
    }
}

I've also tried

X-Auth-Email
X-Auth-Name
X-Auth-Subject
X-Auth-User

And a number of other combinations, but nothing seems to work

{
    "all_headers": {
        "Accept": "*/*",
        "Accept-Encoding": "gzip, deflate, br, zstd",
        "Accept-Language": "en-US,en;q=0.5",
        "Cookie": "tinyauth=<redacted>",
        "Host": "app.domain.tld",
        "Priority": "u=4",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "no-cors",
        "Sec-Fetch-Site": "same-origin",
        "Te": "trailers",
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0",
        "X-Auth-Email": "",
        "X-Auth-Name": "",
        "X-Auth-Subject": "",
        "X-Forwarded-For": <redacted>,
        "X-Forwarded-Host": "app.domain.tld",
        "X-Forwarded-Proto": "https"
    },
    "current_user": null,
    "is_authenticated": false,
    "remote_headers": {
        "Remote-Email": null,
        "Remote-Name": null,
        "Remote-User": null
    },
    "session": {
        "_permanent": true
    },
    "x_auth_headers": {
        "X-Auth-Email": "",
        "X-Auth-Name": "",
        "X-Auth-Subject": ""
    }
}

Redacted and change some info for privacy reasons, but not sure how I can pass in this info.
Any help would be greatly appreciated!

docker-compose.yml

    environment:
      - SECRET=<redacted>
      - APP_URL=https://login.domain.tld
      - GENERIC_CLIENT_ID=<redacted>
      - GENERIC_CLIENT_SECRET=<redacted>
      - GENERIC_AUTH_URL=https://login.microsoftonline.com/<redacted>/oauth2/v2.0/authorize
      - GENERIC_TOKEN_URL=https://login.microsoftonline.com/<redacted>/oauth2/v2.0/token
      - GENERIC_USER_URL=https://graph.microsoft.com/v1.0/me 
      - GENERIC_SCOPES=openid,profile,email,User.Read

[steveiliop56]

Tinyauth adds the Remote-User,Remote-Email,Remote-Name and optionally Remote-Groups to the response, so this should work:

(tinyauth_forwarder) {
    forward_auth <ip>:<port> {
        uri /api/auth/caddy
        copy_headers Remote-Email Remote-Name Remote-User Remote-Groups
    }
}

I changed the API path to /api/auth/caddy since that's the required path for authentication. The reason you weren't getting anything in response was probably because tinyauth responded with a 500 error.