I’m building a multi tenant SaaS offering on top of Kubernetes. My understanding is that Authelia runs at the ingress/proxy layer (nginx, traefik, etc) before hitting the app service.
I like this idea since you technically would not have to build anything directly in each of the apps to handle authentication. However, because of the dynamic nature of this SaaS I need to have a layer in there somewhere that can first query something (API, database, cache,etc) that based on data from the incoming request would tell authelia if auth is required or not.
Is this possible with authelia? If so, any examples of how this might work?
Can you not just send the users request to two different URL, based on the decision if it needs auth or not? That would not be authelias task but your internal url routers. Authelia would handle the authentication on the path that requires auth and your proxy would directly serve the “open” content. The logic would have to take place in your app.
myapp.org/ checks what it’s going to be
myapp.org/secret/ serves content you need to be authenticated for
myapp.ort/open/ serves content that doesn’t need auth.
So the url can be anything and would not be known ahead of time if it is secure or not, because we allow the user to set a flag on that “resource” which is database driven. So, if someone goes to myapp.com/path1 right now, it may allow anonymous but 10 minutes later may require authentication. So we can’t hardcode paths in authelia ahead of time.
I’m thinking more about this, sounds like we need something in FRONT of authelia for this, right? So whatever that thing is, will forward to authelia or not.
I think that authelia is not really made for this scenario, so if you want to use authelia, I think you would have to loop back to before authelia and redirect to the different (auth / non-auth) urls.
I am pretty sure though you are not the first person to have this requirement so probably there is a better solution, but I would have no idea what to search for.
Generally speaking most proxies like haproxy or nginx are scriptable (HAproxy via Lua for example) so maybe that’s something you could let ok into. This article sounds s bit like your scenario:
https://www.egnyte.com/blog/post/dynamic-backends-in-haproxy-with-lua