I’m building a multi tenant SaaS offering on top of Kubernetes. My understanding is that Authelia runs at the ingress/proxy layer (nginx, traefik, etc) before hitting the app service.
I like this idea since you technically would not have to build anything directly in each of the apps to handle authentication. However, because of the dynamic nature of this SaaS I need to have a layer in there somewhere that can first query something (API, database, cache,etc) that based on data from the incoming request would tell authelia if auth is required or not.
Is this possible with authelia? If so, any examples of how this might work?
Authelia can operate at the proxy level as you said, but it can also work at the application level. Authelia implements the OpenIDConnect standard which is designed first as a way for applications to authenticate users using client side redirects.
My recommendation would be to build (or potentially find) a piece of middleware that performs your API/DB query and then redirects to Authelia based on the response. Depending on what proxy/LB you’re using it might even support this natively