Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication using http header #4026

Open
1 task done
dorianim opened this issue Mar 28, 2022 · 31 comments · May be fixed by #5271
Open
1 task done

Authentication using http header #4026

dorianim opened this issue Mar 28, 2022 · 31 comments · May be fixed by #5271
Labels
feature request A request for a new feature.

Comments

@dorianim
Copy link

dorianim commented Mar 28, 2022

Is there an existing feature request for this?

  • I have searched the existing issues before opening this feature request.

Describe the feature you would like to see.

It would be nice to allow authentication via an HTTP-header containing the username. This would allow using proxy authentication via sso providers like Authelia or Authentik and by this, it would also be possible to authenticate using ldap or oidc.

Describe the solution you'd like.

  • New environment variables for:
    • Whether the header authentication should be enabled
    • The header containing the username of the user
    • The header containing the email of the user
  • Automatic account creation for new users, this can happen transparently in my option

Additional context to this request.

Http header authentication basically works like this:

  • You put a proxy in front of your application
  • This proxy does not let anything through to the application until the user authenticates with the proxy
  • As soon as the user is authenticated, the proxy passes the traffic to the application including a header containing their username, email and whatever else you configure

I am aware that other requests for ldap (#594), saml (#2635) and oidc (#3990) have been dismissed for being too time-consuming to implement.
Using an HTTP-header, however, would be much simpler to do.

Many other services do this as well, for example Paperless
and Firefly III

I think, this would be a good solution for all the users who wanted to have ldap, saml or oidc. And it should not be too complicated to implement 🙂 What do you think?

@dorianim dorianim added the feature request A request for a new feature. label Mar 28, 2022
@DaneEveritt
Copy link
Member

Nice idea, seems like an easy middle ground between building out a very complex flow in the application and not having anything. Do you have any good examples I could look at in terms of setting up something very basic to test against if this was built out?

Like a specific service you like to use or some local setup that is sufficient for testing without too much additional overhead?

@dorianim
Copy link
Author

I simply used a browser plugin which allows changing the header values for testing (e.g. this one). Should be pretty straight forward :)

@DaneEveritt
Copy link
Member

Gotcha, I'll look into a few of them and make sure there is a decently common approach to them. I bet there are some packages that exist already to handle this I could use.

@dorianim
Copy link
Author

Just for reference: oauth2-proxy is a tool which "translates" proxy authentication into oatuh2 and could be used in conjunction with this feature.

@haylinmoore
Copy link

Gotcha, I'll look into a few of them and make sure there is a decently common approach to them. I bet there are some packages that exist already to handle this I could use.

I personally really like the idea of using the Remote-User header for authentication, as it makes it much easier to integrate with pre-made, or home-brewed authentication schemes. It also in theory, shouldn't be a massive implementation task. This method is commonly called Forward Auth, where your reverse proxy uses another API to verify authentication, and then rewrites headers so the backend can know the user. Both Authelia (https://www.authelia.com/docs/home/architecture.html) and Authentik (https://goauthentik.io/docs/providers/proxy/forward_auth), top open-source SSO providers, implement Forward Auth support. Some large applications that support it which come to mind are Netbox and Home-Assistant.

@haylinmoore
Copy link

haylinmoore commented Apr 12, 2022

If I implemented this would this fall under a reject due to the contributing policy? "Pterodactyl does not accept Pull Requests (PRs) for new functionality from users that are not currently part of the core project team." Don't want it to meet the same fate as OAuth

@MythTheWolf

This comment was marked as spam.

@DaneEveritt
Copy link
Member

@hamptonmoore yes, most likely. I'm not prepared to think about this too might right now or look at a PR for it.

@SyFizz
Copy link

SyFizz commented Jul 11, 2022

Hi !

Is there any progress about that ?

@Aeris1One
Copy link

I would personally second the idea of being able to use HTTP Headers, it would be a perfect middle between ldap, oauth, saml and so on. It would be easier for server hosts but also for some servers (rare ones) which have setup some SSO for their Git, Forum, Website, Issue tracker. That's the case of the server I'm sysadmin-ing and Pterodactyl is the only thing without linked accoung :/

LDAP, SAML, OpenID are more difficult to setup than HTTP Headers, both on Pterodactyl code and on SSO side. I think its the perfect way to go to allow some SSO features, which seems highly requested since some times.

@zach78954
Copy link

I would personally second the idea of being able to use HTTP Headers, it would be a perfect middle between ldap, oauth, saml and so on. It would be easier for server hosts but also for some servers (rare ones) which have setup some SSO for their Git, Forum, Website, Issue tracker. That's the case of the server I'm sysadmin-ing and Pterodactyl is the only thing without linked accoung :/

LDAP, SAML, OpenID are more difficult to setup than HTTP Headers, both on Pterodactyl code and on SSO side. I think its the perfect way to go to allow some SSO features, which seems highly requested since some times.

I also concur, this is the only thing that is missing for me.

@luizsusin
Copy link

I would personally second the idea of being able to use HTTP Headers, it would be a perfect middle between ldap, oauth, saml and so on. It would be easier for server hosts but also for some servers (rare ones) which have setup some SSO for their Git, Forum, Website, Issue tracker. That's the case of the server I'm sysadmin-ing and Pterodactyl is the only thing without linked accoung :/

LDAP, SAML, OpenID are more difficult to setup than HTTP Headers, both on Pterodactyl code and on SSO side. I think its the perfect way to go to allow some SSO features, which seems highly requested since some times.

Me too. This is actually something I miss a lot.

@tnt944445

This comment was marked as spam.

@Loapu
Copy link

Loapu commented Feb 24, 2023

Is there any update on this? Maybe an ETA or some plans for the roadmap?

@FoksVHox
Copy link
Contributor

Is there any update on this? Maybe an ETA or some plans for the roadmap?

https://github.com/orgs/pterodactyl/projects/1

@Aterfax
Copy link

Aterfax commented Feb 26, 2023

Just wanted to show interest in this also. This would slot in very nicely for those using Authentik.

@tieb62

This comment was marked as spam.

@Badbird5907

This comment was marked as spam.

@n1ght-hunter
Copy link

n1ght-hunter commented Nov 2, 2023

+1
i personally think this is a must. i don't like exposing anything publicly that has not had an audit which is simply not possible for a project like this. so it makes sense to have to option to leave auth to a 3rd party that has a good update policy and is regularly audited by a 3rd party like authentik etc

@Cryotize
Copy link

Personally, i'm selfhosting many public facing services which my family or friends use. Pterodactyl is one of many, and a http header auth implementation would help me unify all logins at a central location like Authentik. Sadly, i still can't see this on the roadmap. Can anybody give an update on this issue?

@Pomdre
Copy link

Pomdre commented Nov 19, 2023

Personally, i'm selfhosting many public facing services which my family or friends use. Pterodactyl is one of many, and a http header auth implementation would help me unify all logins at a central location like Authentik. Sadly, i still can't see this on the roadmap. Can anybody give an update on this issue?

This has been a proposal for 4 years now I know it has been worked on an sso login for Google and other sso`s. I think that was published as a "addon" but no longer maintained.
I can't imagine the main developers switching gears and working on this now, maybe if someone gets together and donates money to the project that will increase the motivation for the developers to get this in place? 🤷

@Svenum

This comment was marked as spam.

@Avsynthe
Copy link

Personally, i'm selfhosting many public facing services which my family or friends use. Pterodactyl is one of many, and a http header auth implementation would help me unify all logins at a central location like Authentik. Sadly, i still can't see this on the roadmap. Can anybody give an update on this issue?

This is me. I provide loads of services to friends and family using Authentik as the auth and ID server. Basically anything that doesn't support some form of SSO I've delayed providing because it's just a headache. I feel like these last 12 months most services have really pushed to get some form of SSO implemented, seems like the big thing now haha.

This would be amazing to see and would complete and round out what is an awesome service. It's features like this that skyrocket app adoption.

@zach78954
Copy link

zach78954 commented Dec 20, 2023 via email

@xitation
Copy link

xitation commented Feb 9, 2024

Also keen to throw my support behind this feature.

Happy to help test it as it's developed if required.

Use case is I run Kanidm and Cloudflare Tunnel, user experience isn't great when you OAuth to Cloudflare then have to auth separately to the panel.

@KevinCCucumber
Copy link

So whats the latest update on this? I would love to have this integration, but I don't have any experience with PHP to implement this myself.

@virtualWinter
Copy link

Hello. Any updates on this feature request?

@bountyhub-bot
Copy link

🚀 Bounty Alert!

💰 A bounty of $50.00 has been created by Trevor159 on BountyHub for this issue.

🔗 Claim this bounty by submitting a pull request that solves this issue!

You can also increase the amount of the bounty if you think the issue is worth more.

Good luck, and happy coding! 💻

@banddude
Copy link

banddude commented Jan 6, 2025

I've submitted a pull request (#5271) that implements header-based authentication. The implementation includes:

  • Support for authentication via HTTP headers (X-Auth-Username and X-Auth-Email by default)
  • Optional automatic user creation
  • Configurable header names
  • Comprehensive test suite
  • SQLite and MySQL compatibility

This should provide a simple way to integrate with SSO providers like Authelia or Authentik without requiring complex LDAP, SAML, or OIDC implementations.

@dougmaitelli
Copy link

I've submitted a pull request (#5271) that implements header-based authentication. The implementation includes:

  • Support for authentication via HTTP headers (X-Auth-Username and X-Auth-Email by default)
  • Optional automatic user creation
  • Configurable header names
  • Comprehensive test suite
  • SQLite and MySQL compatibility

This should provide a simple way to integrate with SSO providers like Authelia or Authentik without requiring complex LDAP, SAML, or OIDC implementations.

Thanks for this great contribution!
I have been considering migrating from Pterodactyl to Pelican for a while now just because of this feature.

@zhiyan114
Copy link

I've submitted a pull request (#5271) that implements header-based authentication. The implementation includes:

  • Support for authentication via HTTP headers (X-Auth-Username and X-Auth-Email by default)
  • Optional automatic user creation
  • Configurable header names
  • Comprehensive test suite
  • SQLite and MySQL compatibility

This should provide a simple way to integrate with SSO providers like Authelia or Authentik without requiring complex LDAP, SAML, or OIDC implementations.

Awesome PR! With small annoy changes, I was able to use some of your code to implement mTLS-based authentication to the web panel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request A request for a new feature.
Projects
None yet
Development

Successfully merging a pull request may close this issue.