From 641b89197243c67f90e8853ad2187c831050fbe7 Mon Sep 17 00:00:00 2001
From: Joe Stump <joe@stu.mp>
Date: Fri, 10 Nov 2023 23:40:51 -0800
Subject: Fix trusted cidrs check (#5853)

* Fix ignored TRUSTED_PROXY issue

* Add a sub-section to the docs no property mappings for Authentik

* Typo

* Fix typing

* A few changes to the doc

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
---
 docs/en/admins/09_AccessControl.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'docs/en/admins/09_AccessControl.md')

diff --git a/docs/en/admins/09_AccessControl.md b/docs/en/admins/09_AccessControl.md
index e158f2a4e..4f45554cb 100644
--- a/docs/en/admins/09_AccessControl.md
+++ b/docs/en/admins/09_AccessControl.md
@@ -34,6 +34,26 @@ You may alternatively pass a `TRUSTED_PROXY` environment variable in a format co
 
 > ☠️ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access.
 
+### Authentik Proxy Provider
+
+If you wish to use external authentication with [Authentik](https://goauthentik.io/),
+you will need to configure a [Proxy Provider](https://goauthentik.io/docs/providers/proxy/) with a *Property Mapping* that tells Authentik to inject the `X-WebAuth-User` HTTP header.
+You can do so with the following expression:
+
+```python
+return {
+    "ak_proxy": {
+        "user_attributes": {
+            "additionalHeaders": {
+                "X-WebAuth-User": request.user.username,
+            }
+        }
+    }
+}
+```
+
+See also another option for Authentik, [using the OAuth2 Provider with OpenID](16_OpenID-Connect-Authentik.md).
+
 ## No Authentication
 
 Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin.
-- 
cgit v1.2.3