Question about traefik-oidc-auth + pocket-id + basic auth

[ovizii]

I am busy migrating from authentik to pocket-id. With authentik, I could pass basic auth through forward-auth to an application expecting basic auth. I am specifically looking to make backrest work - a workaround would be to completely disable auth in backrest and rely on traefik-oidc-auth + pocket-id in front of it.

I might be better off asking this question in the pocket-id space but since I know the author here is also knowledgeable about pocket-id, I'm trying my luck here first.

Here is the description on how it works with authentik: garethgeorge/backrest#129 (comment)

Not sure if this can be made to work with traefik-oidc-auth + pocket-id - I don't know enough about hte subject.

[sevensolutions]

Hi @ovizii,
so if i understand that correctly, you want to secure an application called "backrest" with this plugin to provide OIDC authentication and then forward the authentication to the app itself to skip it's own authentication, right?

What you can do is use the headers-configuration to pass some custom headers to the upstream service.
You can pass down the access token or any other claim value (like an email address) from the token.

If you want to use basic auth you can theoretically do that by just setting the Authorization-header to Basic but the the big question is where you get the password from?

Unfortunately i don't have much experience with PocketID and i think PocketID doesn't even store a single password. I think it's using Passkeys exclusively.

[ovizii]

Thanks for taking the time to reply. I am quite unfamiliar with the topic if authentication so I might mix some terms up very badly :-/

so if i understand that correctly, you want to secure an application called "backrest" with this plugin to provide OIDC authentication and then forward the authentication to the app itself to skip it's own authentication, right?

That is correct. Unfortunately I didn't find docs on how backrest does this, so I do not know what headers it expects.
The link above where it is explained for authentik, is slightly different as the method is to instruct authentik to send HTTP-Basic Authentication which traefik then passes through. (You also need to specify the user/pass combo in authentik for it to be passed through. I looked at pocket-id and it seems you can specify custom claims per user but I think this is getting too complicated.

I tried passing the authorization headers through, just to see what happens.

            - Name: "Authorization"
              Value: "{{`Bearer {{ .accessToken }}`}}"

And the result was backrest telling me:

WARN auth middleware blocked bad JWT: parse token: token signature is invalid: key is of invalid type: RSA verify expects *rsa.PublicKey

The result is, that I disabled authentication within backrest completely as it is a single-user app and its port is not exposed s othe onyl way to access it is via traefik and pocket-id with traefik-oidc-auth protect me here so it is not important to pass on the user to backrest.