Configuring Authentik Forward Authentication on a Per-Application Basis... possible?

[ZLoth]

Greetings. About a month ago, I migrated from Nginx Proxy Manager to Zoraxy on my TrueNAS, and have been liking the improvements, especially the better reporting and the county-based allow lists. However, one of the challenges I've been facing is the forward authentication using Authentik. I've consulted the following, and am confused.

• [WIP] Add Authentik forward auth support #568
• Error 400 on Forward Auth (domain level) via Outpost goauthentik/authentik#10848
• https://github.com/tobychui/zoraxy/wiki/Move-to-Zoraxy-from-Nginx-Proxy-Manager

What I'm trying to do - I have the following applications set up on my server:

• ChangeDetection.io (Admin only)
• ConvertX
• DrawIO (Admin only)
• IT Tools
• OpenSpeedTest
• StirlingPDF

These applications lack the OAuth2/OpenID Provider in the application itself, so I set up Per-Application authentication for these apps in order to control access for the very limited group of friends that I share the server. Under Nginx, I know that I had to pass some headers as a script which I copied from Authentik into Nginx to get Forward Authentication to work and setting up an Outpost and I can control access.

Under Zoraxy, I'm.... lost. I'm sure that once I get one working, the rest will quickly fall into place. One of my confusion points is at the SSO / Oauth2 page..... do I use Forward, or OAuth2, and do I have to plug in additional headers?

Does Zoraxy support per-application integration with Authentik at this time? If not, then how do I configure it via domain so that I can get four of the applications working?

[ZLoth]

I am attempting to configure my Reverse Proxy, Zoraxy, to use Forward Authentication, with Authentik as the authorizatin provider. I previously was using Nginx Proxy Manager, but switched over to Zoraxy for some additional functionality and reporting (I like being able to restrict access to my home server to just United States-based IP addresses). I have several web-apps that lack any sort of authentication or user management that I want to expose to the Internet so that I can access them remotely, so forward authentication is necessary. I was able to configure Zoraxy for OATH, but I really need to configure it for Forward Authentication on a Per-Application basis. When I tried this morning, I got a "Not Found" message.

Note that I'm substituting mydomain.tld instead of my actual domain.

From Zoraxy v.3.2.9:

• Address: http://auth.mydomain.tld/outpost.goauthentik.io/auth/traefik
• Response Headers: I tried both blank and putting in X-authentik-username X-authentik-groups X-authentik-entitlements X-authentik-email X-authentik-name X-authentik-uid X-authentik-jwt X-authentik-meta-jwks X-authentik-meta-outpost X-authentik-meta-provider X-authentik-meta-app X-authentik-meta-version and X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
• Response Client Headers: blank
• Request Headers: blank
• Request Included Cookies: blank
• Request Excluded Cookies: blank
• Forward Auth Request Include Request Body: Not checked
• Use X-Original-* Headers: Not checked

Provider Settings (Associated with IT-Tools Application which I'm testing with):

Name: Provider for IT Tools
Authorization Flow: default-provider-authorization-implicit-consent (Authorize Application)

When I use Forward Auth (single application), I set the following:

• External Host: https://it-tools.mydomain.tld

When I tried Forward Auth (domain level), I set the following:

• Authentication URL: https://it-tools.mydomain.tld
• Cookie Domain: it-tools.mydomain.tld

Token Validity: hours=24

Advanced Protocol Settings:

• Certificate: Blank
• Additional Scopes: I am using the authentik default OAUTH Mappings for Application Entitlements, OpenID email, OpenID openid, OpenID profile, and Proxy Outpost
• Unauthenticated URLs: Blank

Authentication Settings:

• Intercept header authentication: Not set
• Send HTTP-Basic Authentication: Not set
• Federated OIDC Sources: Blank
• Federated OIDC Providers: Blank

Advanced flow settings:

• Authentication flow: Blank
• Invalidation flow: default-provider-invalidation-flow (Logged out of application)

Outpost:

• Name: authentik Embedded Outpost
• Type: Proxy
• Integration: Blank
• Applications: IT Tools is selected

Advanced Settings → Configuration:

log_level: info
docker_labels: null
authentik_host: https://auth.mydomain.tld
docker_network: null
container_image: null
docker_map_ports: true
refresh_interval: minutes=5
kubernetes_replicas: 1
kubernetes_namespace: default
authentik_host_browser: ""
object_naming_template: ak-outpost-%(name)s
authentik_host_insecure: false
kubernetes_json_patches: null
kubernetes_service_type: ClusterIP
kubernetes_ingress_path_type: null
kubernetes_image_pull_secrets: []
kubernetes_ingress_class_name: null
kubernetes_disabled_components: []
kubernetes_ingress_annotations: {}
kubernetes_ingress_secret_name: authentik-outpost-tls
kubernetes_httproute_annotations: {}
kubernetes_httproute_parent_refs: []