Domain Level Forward Auth with Traefik

[Judg3d]

I have been trying to wrap my brain around restricting certain domains to certain groups using the domain level forward auth.

Certain docker apps I am using don't support ODIC so for those I wanted to use a domain level forward auth.
For example

Group1 needs access to site a, site b
but group 2 needs access to site c, site d.

Except group 2 should be restricted from accessing site a, site b.

I tried implementing a policy at the application level but that has not worked out for me.

[mfettig]

Couldn't tell you if it's the right way, but I handled a similar case by creating two sets of Application+Provider+Outpost in Authentik. I'm running everything on a kubernetes cluster, but the idea should be transferable I think.

The Providers each have a custom Authorization Flow with a policy binding like return ak_is_group_member(request.user, name="group1") otherwise they're identical to the default flow (default-provider-authorization-implicit-consent)

I then set up two Middleware resources which again, are almost identical. The only differences are the name and spec.forwardAuth.Address, which follows the pattern

http://<outpost_service_name>.<namespace>.svc:9000/outpost.goauthentik.io/auth/traefik

Then each site's Ingress (provided by Traefik) references whichever Middleware is needed for the group by that Middleware's name