Add option/environment var to disable auth

[spectrapulse]

Some of us run reverse proxies with middleware that take care of authentication.
It would be nice if we could disable authentication or have a way to bypass the login.
I think LDAP would be kind of overkill for my setup to provide a somewhat unified login experience so it would be nice if I could disable the login functionality.

(maybe an option to disable the expiration of the session cookie so I can just pass it along as a request header to the host?)

[cuigh]

You can create an administrator account first, and then create a token for this user to use Swirl with token authentication. See: Deploy service with Swirl

[prologic]

To be honest I'd also like to see something like this. In an ideal world auth is configurable between:

• LDAP
• • User/Password
• • Trusted Headers / Proxy Auth

The later is what I want, as I can easily put Authelia in front of this 👌

What would it take to support this? 🤔

[cuigh]

How about using the token authentication mentioned above?

[prologic]

How about using the token authentication mentioned above?

I don't see how that would work with Authelia in front reverse proxying to Swirl? It would need to pass Remote-User, for eexample:

Remote-Email: [email protected]
Remote-Groups: selfhosted,mills
Remote-Name: James Mills
Remote-User: prologic

[prologic]

Or rather, sorry to be precise, Swirl would take Remote-User and use this to populate its internal session and trust the proxy.

[cuigh]

Sorry, I'm not very familiar with Authelia. For Swirl, it needs to obtain the user identity from the Authorization header. How can Swirl map Remote-User to its internal users if it is only the user's ID in Authelia?

[prologic]

Because the authentication has already happened at the proxy. Applications like Swirl would trust the proxy's headers. This is the simplest form of SSO and it works really well. I have many applications behind (that support header based auth) behind Authelia. See Trusted Header SSO

[spectrapulse]

Wouldn't only apply to Authelia. But every reverse proxy setup which forwards authentication or uses SSO. May it use barebones NGINX or a solution like Traefik using a middleware. I've tried simply passing an Auth header to Swirl using a Traefik middleware but had very mixed results as even when the header is sent with either the response or request header it still tends to redirect to the login or incorrectly display information on pages or other UI issues Client Side. It would be great if Auth could fully be disabled or if another way of bypassing auth would be provided.

[prologic]

@cuigh Any further thoughts on supporting SSO for Swirl? Trusted Headers is the simplest way to support this, I'm sure with your experience of the codebase you'd get this done pretty easily. OAuth / OpenID Connect (OIDC) is also an option too (bit more work on both sides)

[Yaytay]

We have swirl behind an AWS LB that authenticates the user but doesn't give us any option for setting headers (beyond the standard X-Forwarded).
I'd like swirl to either support OAuth or to have auth disabled.
I don't want my users making any changes via swirl, so it would make me happy if the auth-less version was strictly read-only.