Authentik + Nginx + JetKVM: A guid to SSO (needs to be tested)

[moutasem1989]

JetKVM is a greate tool also for Home labers. In my Home Lab I have been using Authentik on most of my services and I always try to impliment it even when it is not exacly designed for it. In this thread I am hoping to find a way to make JetKVM work with Authentik + Nginx Proxy Manager.

For this method I will use JetKVM with a Password to make things more dificult for us and more realistic from a security stand.

Step 1: JetKVM Authentication Tokens:
According to documentation, the access token is stored as an HTTP-only cookie in the browser for 7 days. running CURL i was able to save the cookie data as a text file:

curl 'http://[JetKVM IP address]/auth/login-local' -H 'Content-Type: application/json; charset=UTF-8' --data-raw '{"password":"[JetKVM Password]"}' --compressed --cookie-jar ./cookie.txt

The file ./cookie.txt conains the access token just as described in documentations.

Inspecting the Login page, it seems that the Respons contains a header named set-cookie with the value auth=[JetKVM access token]; Path=/; Max-Age=604800; HttpOnly. This is used to save the access token as cookie.

The token can easily be obtined using Authentik Scope Mapping. As an example we will save JetKVM Password as a Group Attributes in Authentik so members of the group will have access to https://jetkvm.domain.tld.

In Authentik Admin Panel, go to Directory > Groups and edit the group you want to give access. Under Attributes add the following:
kvm_password: [JetKVM Password]

In Authentik Admin Panel, go to Customization > Property Mappings and create a new Scope Mapping as following:
Name: jetkvm-token
Scope Name: ak_proxy (This cannot be changed)
Expression:

import json
from urllib.parse import urlencode
from urllib.request import Request, urlopen

if request.user.username == "":
  return {"ak_proxy": {"user_attributes": {"additionalHeaders": {"X-Kvm-Token": "null"}}}}
else:
  kvmpass = request.user.group_attributes().get("kvm_password", "")

base_url = "http://[JetKVM IP]"
end_point = "/auth/login-local"
json_data = {'password': kvmpass}
postdata = json.dumps(json_data).encode()
headers = {"Content-Type": "application/json; charset=UTF-8"}
try:
  httprequest = Request(base_url + end_point, data=postdata, method="POST", headers=headers)
  with urlopen(httprequest) as response:
    authcookie = response.headers['set-cookie']
  return {"ak_proxy": {"user_attributes": {"additionalHeaders": {"X-Kvm-Token": authcookie}}}}
except: return {"ak_proxy": {"user_attributes": {"additionalHeaders": {"X-Kvm-Token": "null"}}}}

Test this Scope with some users. Users that belonge to the groupe with the Attribute we addedd should return the Access Token and others will return "Null".

Step 2: Outpost is accessble
To use proxy authentication, make sure Authentik Outpost is configured correctly and it is accessble. In my case I used the Authentik Embeded Outpost, and exposed the port 9443 of Authentik container. In the Outpost settings I made sure that Authentik Domain is added: authentik_host: https://authentik.domain.tld/. In step 3, I used https://[authentik machin IP address]:9443 because using https://auth.domain.tld always returned Error 500. Adding my home subnet to ENV. value AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS helped. Check out Authentik Guid.

Step 3: Create Proxy Authentication Provider
Create a Proxy Provider in Authentik and the Application needed then add the provider to the embeded outpost. There are actually many documentation on doing that. I used this Guid or This.

Step 4: Fetching JetKVM Access Token
To get the Token we created in our Property Mappings, we change the NginX Proxy Manager Code:

proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location = /login {
  return 301 /;
}

location / {
    proxy_pass $forward_scheme://$server:$port;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Port 443;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    #proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";

    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;

    #here we save the token we got as a cookie:
    auth_request_set $kvm_auth $upstream_http_x_kvm_token;
    add_header       Set-Cookie $kvm_auth;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    # When using the embedded outpost, use:
    proxy_pass              https://[Authentik machin IP]:9443/outpost.goauthentik.io;
    # For manual outpost deployments:
    # proxy_pass              http://outpost.company:9000;

    # Note: ensure the Host header matches your external authentik URL:
    proxy_set_header        Host $host;

    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

When testing make sure to clear all cookies or try it in incognito window.

[kashalls]

Realistically, the best way would to support OIDC is in the application itself. The problem is the chain. You can support OIDC on the device, by making some changes to the way the login process works.

Currently the device is hard locked to support Google to login into your device, and link it to the cloud. We have to do something to change that. Support OIDC on your device would probably be something along the lines of you setup a U&P on the device for the first time, and later can go in and setup your OIDC connection.

[moutasem1989]

thank you very much for your response. It always takes a while to implement OIDC. There are many self hosted services that still do not support it. I have been trying the method for some services including JetKVM and its been working as expected so far. I wanted to share in case someone finds it usefull.