[GH-ISSUE #453] Feature Request: Add support for authentication by reverse proxy #278

New issue

Closed

opened 2026-02-25 23:33:51 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 23:33:51 +03:00

Owner

Originally created by @max-tet on GitHub (Jul 26, 2022).
Original GitHub issue: https://github.com/go-shiori/shiori/issues/453

When self-hosting multiple applications, you really want to have a single point for user management and authentication. It is annoying to login to each and every app seperately.

A pretty simple way to centralize authentication is achieved by deploying apps behind a reverse proxy, and use proxy auth. The proxy handles authentication in some way and sets http headers containing the username that was successfully logged-in. The apps read the headers and associate incoming requests to that user.

The perfect proxy auth feature for me would work like this:

Start shiori with additional environment variables:

containing the name of the initial admin user (e.g. admin=admin_user)
enabling proxy auth (e.g. proxy_auth=true)
setting the key of the http header that contains the username (e.g. auth_header=X-Authenticated-User)

Configure the reverse proxy to authenticate incoming requests in any way you like.
Let the reverse proxy set X-Authenticated-User to the authenticated username on every request.
Shiori treats the requests as if they belong to the appropriate user session.
Bonus: if shiori does not know the username, it creates a new user with that name.

Other SSO methods like OIDC still require the user to login with each app, even it no credentials are required. It is still an additional step that is unneeded and hurting the user experience.

Additional context:
I am using Shiori for this product. Since this is a single-user platform, users really should see no login screen at all, not even for SSO.

Originally created by @max-tet on GitHub (Jul 26, 2022). Original GitHub issue: https://github.com/go-shiori/shiori/issues/453 When self-hosting multiple applications, you really want to have a single point for user management and authentication. It is annoying to login to each and every app seperately. A pretty simple way to centralize authentication is achieved by deploying apps behind a reverse proxy, and use proxy auth. The proxy handles authentication in some way and sets http headers containing the username that was successfully logged-in. The apps read the headers and associate incoming requests to that user. The perfect proxy auth feature for me would work like this: 1. Start shiori with additional environment variables: * containing the name of the initial admin user (e.g. admin=admin_user) * enabling proxy auth (e.g. proxy_auth=true) * setting the key of the http header that contains the username (e.g. auth_header=X-Authenticated-User) 2. Configure the reverse proxy to authenticate incoming requests in any way you like. 3. Let the reverse proxy set X-Authenticated-User to the authenticated username on every request. 4. Shiori treats the requests as if they belong to the appropriate user session. 5. Bonus: if shiori does not know the username, it creates a new user with that name. Other SSO methods like OIDC still require the user to login with each app, even it no credentials are required. It is still an additional step that is unneeded and hurting the user experience. Additional context: I am using Shiori for [this product](https://getportal.org/). Since this is a single-user platform, users really should see no login screen at all, not even for SSO.