Backwards compatibility and additional cookie handling tweaks

root/defaults/nginx/authelia-location.conf.sample

@@ -3,9 +3,9 @@
 # Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf
 # Make sure that the authelia configuration.yml has 'path: "authelia"' defined
 
-## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
+## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource
 auth_request /authelia/api/verify;
-## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
+## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
 error_page 401 = @authelia_proxy_signin;
 
 ## Translate the user information response headers from the auth subrequest into variables
@@ -20,8 +20,8 @@ proxy_set_header Remote-Groups $groups;
 proxy_set_header Remote-Name $name;
 proxy_set_header Remote-User $user;
 
-## Translate the Set-Cookie response header from auth subrequest into a variable
+## Translate the Set-Cookie response header from the auth subrequest into a variable
 auth_request_set $set_cookie $upstream_http_set_cookie;
 
-## Translate the Location response header from auth subrequest into a variable
-auth_request_set $redirection_url $upstream_http_location;
+## Translate the Location response header from the auth subrequest into a variable
+auth_request_set $signin_url $upstream_http_location;

root/defaults/nginx/authelia-server.conf.sample

@@ -12,6 +12,7 @@ location ^~ /authelia {
     proxy_pass http://$upstream_authelia:9091;
 
     ## Include the Set-Cookie header if present
+    auth_request_set $set_cookie $upstream_http_set_cookie;
     add_header Set-Cookie $set_cookie;
 
     proxy_pass_request_body off;
@@ -23,16 +24,20 @@ location @authelia_proxy_signin {
     internal;
 
     ## Include the Set-Cookie header if present
+    auth_request_set $set_cookie $upstream_http_set_cookie;
     add_header Set-Cookie $set_cookie;
 
-    ## Set the $target_url variable based on the original request.
+    ## Set the $target_url variable based on the original request
     set_escape_uri $target_url $scheme://$http_host$request_uri;
 
-    ## Set $redirection_url if it is empty
-    if ($redirection_url = false) {
-        set $redirection_url https://$http_host/authelia/?rd=$target_url;
+    ## Translate the Location response header from the auth subrequest into a variable
+    auth_request_set $signin_url $upstream_http_location;
+
+    if ($signin_url = '') {
+        ## Set the $signin_url variable
+        set $signin_url https://$http_host/authelia/?rd=$target_url;
     }
 
     ## Redirect to login
-    return 302 $redirection_url;
+    return 302 $signin_url;
 }

root/defaults/nginx/authentik-location.conf.sample

@@ -2,9 +2,9 @@
 # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
 # Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf
 
-## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource.
+## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource
 auth_request /outpost.goauthentik.io/auth/nginx;
-## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
+## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
 error_page 401 = @goauthentik_proxy_signin;
 
 ## Translate the user information response headers from the auth subrequest into variables
@@ -21,5 +21,5 @@ proxy_set_header X-authentik-name $authentik_name;
 proxy_set_header X-authentik-uid $authentik_uid;
 proxy_set_header X-authentik-username $authentik_username;
 
-## Translate the Set-Cookie response header from auth subrequest into a variable
+## Translate the Set-Cookie response header from the auth subrequest into a variable
 auth_request_set $set_cookie $upstream_http_set_cookie;

root/defaults/nginx/authentik-server.conf.sample

@@ -11,6 +11,7 @@ location ^~ /outpost.goauthentik.io {
     proxy_pass http://$upstream_authentik:9000;
 
     ## Include the Set-Cookie header if present
+    auth_request_set $set_cookie $upstream_http_set_cookie;
     add_header Set-Cookie $set_cookie;
 
     proxy_pass_request_body off;
@@ -22,16 +23,15 @@ location @goauthentik_proxy_signin {
     internal;
 
     ## Include the Set-Cookie header if present
+    auth_request_set $set_cookie $upstream_http_set_cookie;
     add_header Set-Cookie $set_cookie;
 
-    ## Set the $target_url variable based on the original request.
+    ## Set the $target_url variable based on the original request
     set_escape_uri $target_url $scheme://$http_host$request_uri;
 
-    ## Set $redirection_url if it is empty
-    if ($redirection_url = false) {
-        set $redirection_url https://$http_host/outpost.goauthentik.io/start?rd=$target_url;
-    }
+    ## Set the $signin_url variable
+    set $signin_url https://$http_host/outpost.goauthentik.io/start?rd=$target_url;
 
     ## Redirect to login
-    return 302 $redirection_url;
+    return 302 $signin_url;
 }