SSO

Single Sign-On (SSO) and authentication providers settings

Forward Auth Oauth2

Forward Auth

Configuration settings for the Forward Auth provider.

The Forward Auth provider makes a subrequest to an authorization server that supports Forward Auth, then either:

Allows the request to flow through to the backend when the authorization server responds with a 200-299 status code.
Responds with the response from the authorization server.

Example authorization servers that support this:

Address The full remote address or URL of the authorization servers forward auth endpoint. Example: https://auth.example.com/authz/forward-auth

Advanced Options

Response Headers Comma separated list of case-insensitive headers to copy from the authorization servers response to the request sent to the backend. If not set no headers are copied.
Example: Remote-User,Remote-Groups,Remote-Email,Remote-Name

Response Client Headers Comma separated list of case-insensitive headers to copy from the authorization servers response to the response sent to the client. If not set no headers are copied.
Example: Set-Cookie,WWW-Authenticate

Request Headers Comma separated list of case-insensitive headers to copy from the original request to the request made to the authorization server. If not set all headers are copied.
Recommendation: Generally it's recommended to leave this blank or use the below example for predictable results.
Example: Accept,X-Requested-With,Cookie,Authorization,Proxy-Authorization

Request Included Cookies Comma separated list of case-sensitive cookie names to copy from the original request to the request made to the authorization server. If not set all cookies are included. This allows omitting all cookies not required by the authorization server.
Example: authelia_session,another_session

Request Excluded Cookies Comma separated list of case-sensitive cookie names to exclude from the request made to the backend application. If not set no cookies are excluded. This allows omitting the cookie intended only for the authorization server.
Example: authelia_session,another_session

OAuth 2.0

Configuration settings for OAuth 2.0 authentication provider.

Client ID Public identifier of the OAuth2 application

Client Secret Secret key of the OAuth2 application

OIDC well-known URL URL to the OIDC discovery document (usually ending with /.well-known/openid-configuration). Used to automatically fetch provider settings.

Authorization URL URL used to authenticate against the OAuth2 provider. Will redirect the user to the OAuth2 provider login view. Optional if Well-Known url is configured.

Token URL URL used by Zoraxy to exchange a valid OAuth2 authentication code for an access token. Optional if Well-Known url is configured.

User Info URL URL used by the OAuth2 provider to validate generated token. Optional if Well-Known url is configured.

Scopes Scopes required by the OAuth2 provider to retrieve information about the authenticated user. Refer to your OAuth2 provider documentation for more information about this. Optional if Well-Known url is configured.

Zoraxy SSO

Configuration settings for Zoraxy SSO provider.

Currently not implemented.