mirror/booklore
1
0
Fork 0
mirror of https://github.com/booklore-app/booklore.git synced 2025-12-23 22:28:11 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
7604fa7fa05ac19ec3fbfbb8a8d1b23d7037443d
booklore/docs/forward-auth-with-proxy.md
Louis-André Labadie 7d006355c7 Feat: ForwardAuth user creation follows OIDC library attribution preferences (#805) 
* ForwardAuth user provisioning: Assign default permissions when available

* Add forward auth mention in README + details in a separate doc

Add Forward Auth docs

* Fix: PermissionDeleteBooks → PermissionDeleteBook

---------

Co-authored-by: Aditya Chandel <8075870+adityachandelgit@users.noreply.github.com>
2025-08-06 11:30:46 -06:00

2.3 KiB
Raw Blame History

Forward Auth with Reverse Proxy

BookLore supports Forward Auth, allowing you to specify when a user is logged in using a reverse proxy and existing SSO provider.

⚠️ Security

** Important**: Enabling forward auth means BookLore will fully trust headers sent by the reverse proxy. Never expose BookLore directly to the internet when using forward auth - always route through your authenticated proxy, otherwise outsiders can attempt to impersonate any username they know about.

Configuration

Provide BookLore with the following environment variables:

# Allows Forward Auth
REMOTE_AUTH_ENABLED=true

# Enable automatic user creation (recommended)
REMOTE_AUTH_CREATE_NEW_USERS=true

# Header names (your proxy will specify what header names to use)
REMOTE_AUTH_HEADER_USER=Remote-User        # Username (required)
REMOTE_AUTH_HEADER_NAME=Remote-Name        # Display name
REMOTE_AUTH_HEADER_EMAIL=Remote-Email      # Email address
REMOTE_AUTH_HEADER_GROUPS=Remote-Groups    # Groups/roles

# Admin group name (optional)
REMOTE_AUTH_ADMIN_GROUP=admin              # Specify this if you want a group to automatically get admin rights

Docker Compose Example

services:
  booklore:
    image: ghcr.io/adityachandelgit/booklore-app:latest
    environment:
      # Forward Auth Configuration
      - REMOTE_AUTH_ENABLED=true
      - REMOTE_AUTH_CREATE_NEW_USERS=true
      - REMOTE_AUTH_HEADER_NAME=Remote-Name
      - REMOTE_AUTH_HEADER_USER=Remote-User
      - REMOTE_AUTH_HEADER_EMAIL=Remote-Email
      - REMOTE_AUTH_HEADER_GROUPS=Remote-Groups
      - REMOTE_AUTH_ADMIN_GROUP=admin
    # ... rest of configuration ...

Setting Up Defaults Permissions

  1. Access Admin Settings: Log in to Booklore as an admin user
  2. Navigate to Authentication Settings: Go to Settings → Authentication
  3. Configure OIDC Auto-Provision (even if not using OIDC):
    • Enable "Auto User Provisioning". You might need to enter a bogus URL to enable it temporarily.
    • Select the default permissions and libraries for new users.
  4. Save Settings

Example: Caddyfile for Authelia Forward Auth

books.example.com {
  forward_auth authelia:9091 {
    uri /api/authz/forward-auth
    copy_headers Remote-User Remote-Name Remote-Email Remote-Groups
  }

  reverse_proxy booklore:6060
}
Reference in New Issue View Git Blame Copy Permalink