I’m building a multi tenant SaaS offering on top of Kubernetes. My understanding is that Authelia runs at the ingress/proxy layer (nginx, traefik, etc) before hitting the app service.
I like this idea since you technically would not have to build anything directly in each of the apps to handle authentication. However, because of the dynamic nature of this SaaS I need to have a layer in there somewhere that can first query something (API, database, cache,etc) that based on data from the incoming request would tell authelia if auth is required or not.
Is this possible with authelia? If so, any examples of how this might work?
So the url can be anything and would not be known ahead of time if it is secure or not, because we allow the user to set a flag on that “resource” which is database driven. So, if someone goes to myapp.com/path1 right now, it may allow anonymous but 10 minutes later may require authentication. So we can’t hardcode paths in authelia ahead of time.
I’m thinking more about this, sounds like we need something in FRONT of authelia for this, right? So whatever that thing is, will forward to authelia or not.
I think that authelia is not really made for this scenario, so if you want to use authelia, I think you would have to loop back to before authelia and redirect to the different (auth / non-auth) urls.
I am pretty sure though you are not the first person to have this requirement so probably there is a better solution, but I would have no idea what to search for.
Generally speaking most proxies like haproxy or nginx are scriptable (HAproxy via Lua for example) so maybe that’s something you could let ok into. This article sounds s bit like your scenario:
https://www.egnyte.com/blog/post/dynamic-backends-in-haproxy-with-lua