Fix trusted cidrs check (#5853)

* Fix ignored TRUSTED_PROXY issue

* Add a sub-section to the docs no property mappings for Authentik

* Typo

* Fix typing

* A few changes to the doc

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

1 files changed, 20 insertions, 0 deletions

diff --git a/docs/en/admins/09_AccessControl.md b/docs/en/admins/09_AccessControl.md
index e158f2a4e..4f45554cb 100644
--- a/docs/en/admins/09_AccessControl.md
+++ b/docs/en/admins/09_AccessControl.md
@@ -34,6 +34,26 @@ You may alternatively pass a `TRUSTED_PROXY` environment variable in a format co
 
 > ☠️ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access.
 
+### Authentik Proxy Provider
+
+If you wish to use external authentication with [Authentik](https://goauthentik.io/),
+you will need to configure a [Proxy Provider](https://goauthentik.io/docs/providers/proxy/) with a *Property Mapping* that tells Authentik to inject the `X-WebAuth-User` HTTP header.
+You can do so with the following expression:
+
+```python
+return {
+    "ak_proxy": {
+        "user_attributes": {
+            "additionalHeaders": {
+                "X-WebAuth-User": request.user.username,
+            }
+        }
+    }
+}
+```
+
+See also another option for Authentik, [using the OAuth2 Provider with OpenID](16_OpenID-Connect-Authentik.md).
+
 ## No Authentication
 
 Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin.