31 lines
801 B
Markdown
31 lines
801 B
Markdown
# Authentication Flow
|
|
|
|
Forward auth path for an internal service that doesn't speak OIDC natively. OIDC-native services skip the Caddy auth hop and go to Authentik directly.
|
|
|
|
```mermaid
|
|
sequenceDiagram
|
|
participant U as User
|
|
participant C as Caddy<br/>(reverse proxy)
|
|
participant A as Authentik<br/>(IdP)
|
|
participant S as Internal service
|
|
|
|
U->>C: HTTPS request
|
|
C->>A: Forward auth check
|
|
A-->>C: 401 (no session)
|
|
C-->>U: 302 → auth.lerkolabs.com
|
|
|
|
U->>A: Login (OIDC or password)
|
|
A-->>U: Set session cookie
|
|
|
|
U->>C: HTTPS request + cookie
|
|
C->>A: Forward auth check
|
|
A-->>C: 200 OK + identity headers
|
|
C->>S: Proxy request<br/>(plain HTTP, internal hop)
|
|
S-->>U: Response
|
|
```
|
|
|
|
|
|
## Notes
|
|
|
|
- If Authentik is down, internal services are unreachable. This is an accepted tradeoff.
|