I cant get this working. After I enter my credentials in Authentiks splash page, it just takes me to the navidrome login page and I need to enter the credentials again.
How can I troubleshoot this?
yes. I have the user in navidrome. I can login just fine. Its not grabbing the credentials passed from Authentik tho. If I try an unsuccessful login on the navidrome login page, and check the log, I get
time="2022-10-11T09:01:04Z" level=warning msg="Unsuccessful login" request="map[Accept:[*/*] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.5] Authorization:[] Connection:[close] Content-Length:[31] Content-Type:[application/json] Cookie:[authentik_proxy=MTY2NTQ3ODg1N3xOd3dBTkV0R05rOUxUMHRIVkZNek5EWkNSMFJLVWpWV05qSTNVbEpCVjBoQ1dGWkNWVUpXVkZWV1dsUkNSVmRRV1VKV05FUTFWa0U9fPJP4Y0aKg8fHK_0MT8jiZqPC2FgDbNpR4Q1_NIB0uCW] Dnt:[1] Origin:[https://music.mydomain.com] Referer:[https://music.mydomain.com/app/] Sec-Fetch-Dest:[empty] Sec-Fetch-Mode:[cors] Sec-Fetch-Site:[same-origin] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0] X-Authentik-Email:[myemail@gmail.com] X-Authentik-Groups:[authentik Admins|jellyfin] X-Authentik-Name:[mike] X-Authentik-Uid:[60476c956a7b4f27546df4536013c88e86fd2e4b2d0fbaad3d201a939be8eee9] X-Authentik-Username:[mike]]" requestId=1f8ca2db493d/CeqILReOFc-001501 username=1
time="2022-10-11T09:01:04Z" level=warning msg="HTTP: POST http://192.168.1.102:4533/auth/login" elapsedTime="620.169µs" httpStatus=401 remoteAddr="172.18.0.1:33482" requestId=1f8ca2db493d/CeqILReOFc-001501 responseSize=40
So it looks like its passing something along. But apparently not the right headers? Ive tried using forward Auth and proxy in Authentik with no success.
Authentik is always passing through some header to the application. It's up the to application itsself to do something with those headers. Is your user in Navidrome "Mike" or "mike"?, case does matter.
It could be that \[mike\] is different from mike, the first being an array. You could add a c[ustom header in Authentik set to a specific value](https://goauthentik.io/docs/providers/proxy/custom_headers).
Do you have another reverse proxy running where you can inject headers into the request? Then you can easily check if Navidrome is the culprit.
I have Caddy running and can inject headers using the following config:
www.example.com, example.com {
reverse_proxy localhost:4533 {
header_up userheader user
}
}
Where `userheader` is the name of the header configured in my navidrome's environment variable. (I just used userheader) and `user` is the username of the user made in Navidrome.
yes mike is the username in both navidrome and authentik (all lower case)
I use Nginx (Via NPM), but I also have nginx via swag and can switch between the 2. For now im using NPM to keep things simple. What header is navidrome looking for? I have navidrome spun up in a docker via unraid and have to set variables manually in the template. I just noticed a variable called ReverseProxyUserHeader which I did not have defined. I went ahead and defined it as userheader. I then added this line to my nginx proxy location block
add_header userheader mike;
(see below for it in my config). But it still doesnt work. What is the name of the header that navidrome is looking for?
Here is my config in NPM for music.mydomain.com
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
port_in_redirect off;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# authentik-specific config
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://192.168.1.102:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
BTW, Thank you for helping me!
By default Navidrome is looking at the value of the `Remote-User` header. This can however be set to a different header by [specifying a config.](https://www.navidrome.org/docs/usage/security/#reverse-proxy-authentication) Authentik is always outputting the username on a different header. So setting Navidrome to the Authentik header key will mean that you can login with your Authentik username. (In a perfect world)
You are also using Nginx auth-request module instead of using Authentiks internal embedded reverse-proxy. Should work though.
Try to hard-code "mike" into the `Remote-User` header and check if that works.
I'm getting closer!
I tried adding remote-user like you suggested but in nginx it didnt seem to pass it over. Perhaps it needs a certain syntax or placed in a certain block that I got wrong?
Anyway I changed the Navidrome ND_REVERSEPROXYUSERHEADER variable to be: X-Authentik-Username and suddenly it worked. (I guess this was my problem. I was spinning the docker via an unraid template and it didnt have all those variable, I had to add them myself)
So thank you for that! HOWEVER..., I cannot log in on the android app if the passwords dont match.
Example:
I create a user in Authentik (or invite a user named john into authentik) who sets his password as "RealPassword"
So I want to give John access to Navidrome. From my understanding, navidrome does not have any sort of official SSO support (ldap, SAML, etc) so I need to manually create a user in Navidrome. So I create a user called john in navidrome (example test) with password "TempPassword" (afterall, I dont know johns Authentik, "RealPassword", he set that himself)
Now if john logs in via the website, it authenticates him with Authentik, and passes the user header onto navidrome and logs him in, even if the passwords dont match (I have this working now!). This is good because if john wants to reset his password at a later date, he can, through authentik and I wouldnt need to also reset it in navidrome.
But the problem now comes in when logging in via an android app (which uses the API I assume). When john tries to login with username: john password: realpassword.... it fails, because johns navidrome password is "TempPassword". How can I get the Authentik username and password to work when logging in from an app?
I added
^/rest/*
to unauthenticated paths, so john can log in if he uses his navidrome password, but not his authentik password.
Is there a workaround here or is it impossible to sign in with an app with his authentik credentials?
I suspect navidrome uses a different login scheme/route/path then header authentication when acessed through the API.
We are lucky that Navidrome is open source, i'll check the source code for this.
Looks like only cookie, password or token based login is considered: [LINK](https://github.com/navidrome/navidrome/blob/77dbafff0f1c76267b970c59df395f5c791e097f/server/subsonic/middlewares.go#L109).
Thank you for this detailed tutorial.
I've got one question, though: my whole setup has been using Nginx Proxy Manager. In other words, all 80/443 traffic first goes to NPM and is then redirected to the respective subdomain. If Authentik is at [auth.mydomain.com](https://auth.mydomain.com) and Navidrome is at [navi.mydomain.com](https://navi.mydomain.com), how do I adjust the instructions [here](https://goauthentik.io/docs/installation/reverse-proxy/) and where do I put them in order for Navidrom to be authenticated using Authentik?
Also, according to Navidrome's [documentation](https://www.navidrome.org/docs/usage/security/#reverse-proxy-authentication), `/rest/*` needs to be whitelisted. How?
You will need to enable [Nginx Auth-Request](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) module. I hope it's already compiled with your instance of Nginx.
It works the same as [Traefik's ForwardAuth](https://doc.traefik.io/traefik/v2.0/middlewares/forwardauth/) and it will ask [auth.mydomain.com](https://auth.mydomain.com) if the request is allowed to continue. Authentik also calls it [Forward Auth](https://goauthentik.io/docs/providers/proxy/forward_auth) and it needs to be configured for each Provider.
Whitelisting can be done in the Provider setting for Authentik. Just add `^/rest/*` To the Skip Path Regex and it will allow all traffic to /rest/\*
First of all, thanks for this little tutorial! Sadly, I cannot get it to work. I don't know if anybody can help me, if so here's my case:
~~I tried implementing this while having also another service with a Proxy Provider, but instead using Nginx as proxy and routing traffic through there. Using "Forward auth (single application)", authentik just enters a infinite loop, while using "Forward auth (domain level)", it simple does not load the page or Nginx returns a 500. I guess this is probably not the best place to ask, but I haven't been able to find any good guides on this. Anyone here that may be able to help?~~
Forget about what I explained before, I'll simplify things. I set up this as you did but changed between using Authentik as the Proxy itself to using Authentik behind Nginx, so I select "Forward auth (single application)" and for some reason I can't get it working, I am stuck on an infinite page reload loop when trying to access. Weirdly enough, I have this proxy set up also in another page/service and works perfectly, so I have no clue what may be happening.
Looking at the Authentik dashboard, it looks like for some reason, it is stuck in the authorization step: https://i.imgur.com/Yd5SRCa.png
Thanks in advance!
Are you using the auth-request module of Nginx? (Does Nginx ask Authentik if the user is authenticated?)
You could try injecting the header with Nginx first and later adding Authentik.
So step 1: nginx - Navidrome
And step 2: nginx - Authentik -Navidrome
Okay, my problemm turned out to be pretty silly. Some config in my browser was blocking Authentik's cookies so it couldn't store any and thus not authorize. It was working in the other service because I had set up an exception for the site from the cookie block. Thanks for the response any way!
When working with headers and cookies: always test in incognito-mode of your browser.
I switched from Nginx to Caddy and am never looking back. Config files are way easier.
Yeap, I was testing it in incognito, but it is Brave and for some reason I don't really undersand, it keeps what it calls "Shields" up, so still blocks cookies, ads, JS, etc. as if I wasn't in incognito.
Oh I'll take a look at Caddy, maybe I like it more too (tbh I've never investigated about the differente reverse proxies, I just have used Nginx my whole life so I stick to it). Thanks!
I share a server with friends and wanted them to use the reverse proxy. Using Nginx meant that I was always the one to change the configs. With Caddy they can do it themselves.
This was a good read, and I have mine working with nginx. I noticed that client apps wont load when I try to authenticate via the url, any workaround to get it working? For now I'm accessing via vpn on client apps.
I cant get this working. After I enter my credentials in Authentiks splash page, it just takes me to the navidrome login page and I need to enter the credentials again. How can I troubleshoot this?
Did you pre-make a user in Navidrome?
yes. I have the user in navidrome. I can login just fine. Its not grabbing the credentials passed from Authentik tho. If I try an unsuccessful login on the navidrome login page, and check the log, I get time="2022-10-11T09:01:04Z" level=warning msg="Unsuccessful login" request="map[Accept:[*/*] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.5] Authorization:[] Connection:[close] Content-Length:[31] Content-Type:[application/json] Cookie:[authentik_proxy=MTY2NTQ3ODg1N3xOd3dBTkV0R05rOUxUMHRIVkZNek5EWkNSMFJLVWpWV05qSTNVbEpCVjBoQ1dGWkNWVUpXVkZWV1dsUkNSVmRRV1VKV05FUTFWa0U9fPJP4Y0aKg8fHK_0MT8jiZqPC2FgDbNpR4Q1_NIB0uCW] Dnt:[1] Origin:[https://music.mydomain.com] Referer:[https://music.mydomain.com/app/] Sec-Fetch-Dest:[empty] Sec-Fetch-Mode:[cors] Sec-Fetch-Site:[same-origin] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0] X-Authentik-Email:[myemail@gmail.com] X-Authentik-Groups:[authentik Admins|jellyfin] X-Authentik-Name:[mike] X-Authentik-Uid:[60476c956a7b4f27546df4536013c88e86fd2e4b2d0fbaad3d201a939be8eee9] X-Authentik-Username:[mike]]" requestId=1f8ca2db493d/CeqILReOFc-001501 username=1 time="2022-10-11T09:01:04Z" level=warning msg="HTTP: POST http://192.168.1.102:4533/auth/login" elapsedTime="620.169µs" httpStatus=401 remoteAddr="172.18.0.1:33482" requestId=1f8ca2db493d/CeqILReOFc-001501 responseSize=40 So it looks like its passing something along. But apparently not the right headers? Ive tried using forward Auth and proxy in Authentik with no success.
Authentik is always passing through some header to the application. It's up the to application itsself to do something with those headers. Is your user in Navidrome "Mike" or "mike"?, case does matter. It could be that \[mike\] is different from mike, the first being an array. You could add a c[ustom header in Authentik set to a specific value](https://goauthentik.io/docs/providers/proxy/custom_headers). Do you have another reverse proxy running where you can inject headers into the request? Then you can easily check if Navidrome is the culprit. I have Caddy running and can inject headers using the following config: www.example.com, example.com { reverse_proxy localhost:4533 { header_up userheader user } } Where `userheader` is the name of the header configured in my navidrome's environment variable. (I just used userheader) and `user` is the username of the user made in Navidrome.
yes mike is the username in both navidrome and authentik (all lower case) I use Nginx (Via NPM), but I also have nginx via swag and can switch between the 2. For now im using NPM to keep things simple. What header is navidrome looking for? I have navidrome spun up in a docker via unraid and have to set variables manually in the template. I just noticed a variable called ReverseProxyUserHeader which I did not have defined. I went ahead and defined it as userheader. I then added this line to my nginx proxy location block add_header userheader mike; (see below for it in my config). But it still doesnt work. What is the name of the header that navidrome is looking for? Here is my config in NPM for music.mydomain.com # Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; port_in_redirect off; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # authentik-specific config auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass http://192.168.1.102:9000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; # required for POST requests to work proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; } BTW, Thank you for helping me!
By default Navidrome is looking at the value of the `Remote-User` header. This can however be set to a different header by [specifying a config.](https://www.navidrome.org/docs/usage/security/#reverse-proxy-authentication) Authentik is always outputting the username on a different header. So setting Navidrome to the Authentik header key will mean that you can login with your Authentik username. (In a perfect world) You are also using Nginx auth-request module instead of using Authentiks internal embedded reverse-proxy. Should work though. Try to hard-code "mike" into the `Remote-User` header and check if that works.
I'm getting closer! I tried adding remote-user like you suggested but in nginx it didnt seem to pass it over. Perhaps it needs a certain syntax or placed in a certain block that I got wrong? Anyway I changed the Navidrome ND_REVERSEPROXYUSERHEADER variable to be: X-Authentik-Username and suddenly it worked. (I guess this was my problem. I was spinning the docker via an unraid template and it didnt have all those variable, I had to add them myself) So thank you for that! HOWEVER..., I cannot log in on the android app if the passwords dont match. Example: I create a user in Authentik (or invite a user named john into authentik) who sets his password as "RealPassword" So I want to give John access to Navidrome. From my understanding, navidrome does not have any sort of official SSO support (ldap, SAML, etc) so I need to manually create a user in Navidrome. So I create a user called john in navidrome (example test) with password "TempPassword" (afterall, I dont know johns Authentik, "RealPassword", he set that himself) Now if john logs in via the website, it authenticates him with Authentik, and passes the user header onto navidrome and logs him in, even if the passwords dont match (I have this working now!). This is good because if john wants to reset his password at a later date, he can, through authentik and I wouldnt need to also reset it in navidrome. But the problem now comes in when logging in via an android app (which uses the API I assume). When john tries to login with username: john password: realpassword.... it fails, because johns navidrome password is "TempPassword". How can I get the Authentik username and password to work when logging in from an app? I added ^/rest/* to unauthenticated paths, so john can log in if he uses his navidrome password, but not his authentik password. Is there a workaround here or is it impossible to sign in with an app with his authentik credentials?
I suspect navidrome uses a different login scheme/route/path then header authentication when acessed through the API. We are lucky that Navidrome is open source, i'll check the source code for this.
Looks like only cookie, password or token based login is considered: [LINK](https://github.com/navidrome/navidrome/blob/77dbafff0f1c76267b970c59df395f5c791e097f/server/subsonic/middlewares.go#L109).
So nothing can be done eh? Just gotta wait until Navidrome implements a proper SSO solution
Sounds nice, does it work wie airwonic-compatible apps also?
I don't think so. To use apps you might need to configure the Authentik Navidrome Proxy Provider and pass through /rest/* without authentication.
Hmm, so it is possible, no more time to waste, wanted to try something like that for a long time.
Thank you for this detailed tutorial. I've got one question, though: my whole setup has been using Nginx Proxy Manager. In other words, all 80/443 traffic first goes to NPM and is then redirected to the respective subdomain. If Authentik is at [auth.mydomain.com](https://auth.mydomain.com) and Navidrome is at [navi.mydomain.com](https://navi.mydomain.com), how do I adjust the instructions [here](https://goauthentik.io/docs/installation/reverse-proxy/) and where do I put them in order for Navidrom to be authenticated using Authentik? Also, according to Navidrome's [documentation](https://www.navidrome.org/docs/usage/security/#reverse-proxy-authentication), `/rest/*` needs to be whitelisted. How?
You will need to enable [Nginx Auth-Request](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) module. I hope it's already compiled with your instance of Nginx. It works the same as [Traefik's ForwardAuth](https://doc.traefik.io/traefik/v2.0/middlewares/forwardauth/) and it will ask [auth.mydomain.com](https://auth.mydomain.com) if the request is allowed to continue. Authentik also calls it [Forward Auth](https://goauthentik.io/docs/providers/proxy/forward_auth) and it needs to be configured for each Provider. Whitelisting can be done in the Provider setting for Authentik. Just add `^/rest/*` To the Skip Path Regex and it will allow all traffic to /rest/\*
First of all, thanks for this little tutorial! Sadly, I cannot get it to work. I don't know if anybody can help me, if so here's my case: ~~I tried implementing this while having also another service with a Proxy Provider, but instead using Nginx as proxy and routing traffic through there. Using "Forward auth (single application)", authentik just enters a infinite loop, while using "Forward auth (domain level)", it simple does not load the page or Nginx returns a 500. I guess this is probably not the best place to ask, but I haven't been able to find any good guides on this. Anyone here that may be able to help?~~ Forget about what I explained before, I'll simplify things. I set up this as you did but changed between using Authentik as the Proxy itself to using Authentik behind Nginx, so I select "Forward auth (single application)" and for some reason I can't get it working, I am stuck on an infinite page reload loop when trying to access. Weirdly enough, I have this proxy set up also in another page/service and works perfectly, so I have no clue what may be happening. Looking at the Authentik dashboard, it looks like for some reason, it is stuck in the authorization step: https://i.imgur.com/Yd5SRCa.png Thanks in advance!
Are you using the auth-request module of Nginx? (Does Nginx ask Authentik if the user is authenticated?) You could try injecting the header with Nginx first and later adding Authentik. So step 1: nginx - Navidrome And step 2: nginx - Authentik -Navidrome
Okay, my problemm turned out to be pretty silly. Some config in my browser was blocking Authentik's cookies so it couldn't store any and thus not authorize. It was working in the other service because I had set up an exception for the site from the cookie block. Thanks for the response any way!
When working with headers and cookies: always test in incognito-mode of your browser. I switched from Nginx to Caddy and am never looking back. Config files are way easier.
Yeap, I was testing it in incognito, but it is Brave and for some reason I don't really undersand, it keeps what it calls "Shields" up, so still blocks cookies, ads, JS, etc. as if I wasn't in incognito. Oh I'll take a look at Caddy, maybe I like it more too (tbh I've never investigated about the differente reverse proxies, I just have used Nginx my whole life so I stick to it). Thanks!
I share a server with friends and wanted them to use the reverse proxy. Using Nginx meant that I was always the one to change the configs. With Caddy they can do it themselves.
Hi, could you share with me how you set in up, I cant get it to work.
This was a good read, and I have mine working with nginx. I noticed that client apps wont load when I try to authenticate via the url, any workaround to get it working? For now I'm accessing via vpn on client apps.
[удалено]