[Feature] Support for Forwarded Headers (Authentication)

[shanelord01]

I have searched the existing feature requests, both open and closed, to make sure this is not a duplicate request.

• Yes

The feature

I am using Pangolin to front end my immich instance, and have Google Auth setup on Pangolin. At the moment I need to login via Pangolin using Google, then login to immich using Google.

As of 1.10.0 Pangolin have added Forwarded Headers

"Pangolin can forward user identity information to your backend applications through custom HTTP headers. This allows your applications to receive user details directly from the request headers, enabling integration with Pangolin’s authentication system."

Can this be added to immich so OAuth is handled via Pangolin (or other front end proxy that supports Forwarded Headers) and then the authenticated user details are passed to immich allowing seamless SSO?

It would require disabling OAuth in immich and mapping the incoming user authenticated user to an existing account, or fail connection if no account match (admin of immich should be able to pre-load authorised email addresses that match the OAuth provider used by Pangolin).

Platform

• Server
• Web
• Mobile

[bo0tzz]

We already support oauth which allows integration with basically everything, we have no plans to also implement other methods.

[aidanholm]

I ended up implementing a minimal OAuth provider for this, also sitting behind my reverse proxy. This provider doesn't redirect to a login page; it just authenticates the user directly based on the auth header.

[olistrik]

@aidanholm is that public? I have a lot of services behind a reverse proxy that support oauth but not header based authentication.

[bo0tzz]

https://oauth2-proxy.github.io/

[olistrik]

@bo0tzz oauth2-proxy still requires an upstream oauth2 provider though right? It seems it's intended for authenticating users against downstream services which don't support oauth2 natively. In my case, all my users are authenticated using tailscale-forward-auth, so the downstream requests already have x-tailscale-id etc attached. I would like to authenticate the user based on that, but I have yet to find an app that supports it. oauth2 though... many apps support that. So if I can turn x-tailscale-id's into oauth tokens internally that would be great.

[bo0tzz]

Yeah I got it the wrong way around, my bad.

For tailscale, check out https://github.com/tailscale/tsidp.