aboutsummaryrefslogtreecommitdiff
path: root/docs/en/admins/09_AccessControl.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/en/admins/09_AccessControl.md')
-rw-r--r--docs/en/admins/09_AccessControl.md20
1 files changed, 20 insertions, 0 deletions
diff --git a/docs/en/admins/09_AccessControl.md b/docs/en/admins/09_AccessControl.md
index e158f2a4e..4f45554cb 100644
--- a/docs/en/admins/09_AccessControl.md
+++ b/docs/en/admins/09_AccessControl.md
@@ -34,6 +34,26 @@ You may alternatively pass a `TRUSTED_PROXY` environment variable in a format co
> ☠️ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access.
+### Authentik Proxy Provider
+
+If you wish to use external authentication with [Authentik](https://goauthentik.io/),
+you will need to configure a [Proxy Provider](https://goauthentik.io/docs/providers/proxy/) with a *Property Mapping* that tells Authentik to inject the `X-WebAuth-User` HTTP header.
+You can do so with the following expression:
+
+```python
+return {
+ "ak_proxy": {
+ "user_attributes": {
+ "additionalHeaders": {
+ "X-WebAuth-User": request.user.username,
+ }
+ }
+ }
+}
+```
+
+See also another option for Authentik, [using the OAuth2 Provider with OpenID](16_OpenID-Connect-Authentik.md).
+
## No Authentication
Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin.
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-10 11:08:41 +0000