Grist + Authelia: Custom logout path

Ask for Help
#1

I was able to setup Grist using Authelia for logins. It works well but the issue I’m facing is with regards to logging out.

Clicking Sign Out goes to the https://grist.mydomain.tld/logout then eventually to https://grist.mydomain.tld/o/orgname/signed-out.

Is it possible to set a custom sign-out page, Maybe something similar to GRIST_FORWARD_AUTH_LOGOUT_PATH?

GRIST_PROXY_AUTH_LOGOUT_URL=https://auth.mydomain.tld/logout?rd=https://grist.mydomain.tld
1 Like
#2

Hey :grinning:,
How did you manage to setup Grist + Authelia ?
Did you follow a tutorial ?

Thanks

#3

There’s no single tutorial that I had followed. Just read several documentation.

Let me try and briefly describe my setup.
Apologies that I need to break some links. Can’t put more that 2 links because I’m “too new” here.

I have all the applications running as Docker containers. Apologies that I won’t cover the NPM and Authelia setup here. They’re websites have pretty good guides. NPM and Authelia are on one server and Grist on another but shouldn’t matter here.

  • Nginx Proxy Manager / nginxproxymanager(dot)com – as reverse proxy
  • Authelia / www.authelia(dot)com - for authentication
  • Grist of course

Grist Setup
I started with setting up Grist as another Docker container without the Authelia integration first, but making sure that I used the same email address as the account that I used for Authelia.
Setup a proxy host in NPM to point to the Grist server - example grist.mydomain.tld.
Test that the url works. Sign-out of Grist.

docker-compose.yml 
version: '3.3'
services:
  grist:
    ports:
      - '8484:8484'
    volumes:
      - ./persist:/persist
    image: gristlabs/grist
    container_name: grist
    restart: unless-stopped
    environment:
      - APP_DOC_URL=https://grist.mydomain.tld
      - APP_HOME_URL=https://grist.mydomain.tld
      - GRIST_SINGLE_ORG=orgname
      - GRIST_ORG_IN_PATH=true

Integrating Authelia on NPM

I followed the Authelia guide to set it up on nginx with a slight modifications.

So I created these 3 files as described on the guide. These are saved on the data folder mounted on the NPM container. So within the container, they can be found on /data/authelia/.

authelia.conf - with modifications 
set $upstream_authelia http://authelia:9091/api/verify;

# Virtual endpoint created by nginx to forward auth requests.

# MOD: next line is commented out for NPM purposes
# location /authelia {   
    internal;
    proxy_pass_request_body off;
    proxy_pass $upstream_authelia;
    proxy_set_header Content-Length "";

    # Timeout if the real server is dead
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

    # [REQUIRED] Needed by Authelia to check authorizations of the resource.
    # Provide either X-Original-URL and X-Forwarded-Proto or
    # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
    # Those headers will be used by Authelia to deduce the target url of the user.
    # Basic Proxy Config
    client_body_buffer_size 128k;
    proxy_set_header Host $host;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Method $request_method;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Uri $request_uri;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_redirect  http://  $scheme://;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 4 32k;

    # Advanced Proxy Config
    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;

# MOD: next line is commented out for NPM purposes
#}
auth.conf 
# Basic Authelia Config
# Send a subsequent request to Authelia to verify if the user is authenticated
# and has the right permissions to access the resource.
auth_request /authelia;
# Set the `target_url` variable based on the request. It will be used to build the portal
# URL with the correct redirection parameter.
auth_request_set $target_url $scheme://$http_host$request_uri;
# Set the X-Forwarded-User and X-Forwarded-Groups with the headers
# returned by Authelia for the backends which can consume them.
# This is not safe, as the backend must make sure that they come from the
# proxy. In the future, it's gonna be safe to just use OAuth.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
# If Authelia returns 401, then nginx redirects the user to the login portal.
# If it returns 200, then the request pass through to the backend.
# For other type of errors, nginx will handle them as usual.
error_page 401 =302 https://auth.mydomain.tld/?rd=$target_url;
proxy.conf 
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;

# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;

# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

Now, within NPM, modify the proxy host that you initially setup for Grist and add this on the Advanced tab.

edit: fixed for the logout issue

Advanced tab 
# this line solved the logout issue!
rewrite ^/signed-out$ https://auth.mydomain.tld/logout?rd=https://grist.mydomain.tld redirect;

location /authelia {
  include /data/authelia/authelia.conf;
}
location / {

   # pass
  set $upstream_grist http://ip.address.of.grist:8484;
  proxy_pass $upstream_grist;

  # websockets support
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";

  # authelia
  include /data/authelia/auth.conf; 
  include /data/authelia/proxy.conf;
}

Now, browse to your Grist url - grist.mydomain.tld and it should redirect to Authelia. Grist will still prompt you to sign-in with your Grist account.

Integrate Authelia users Grist users
According to the Grist Readme, there is this option.

GRIST_PROXY_AUTH_HEADER
header which will be set by a (reverse) proxy webserver with an authorized users’ email. This can be used as an alternative to a SAML service.

Authelia uses Remote-Email as the header for the email (see auth.conf file).

So I added the variable to my docker-compose.yml file and re-created the container.

    environment:
      - GRIST_PROXY_AUTH_HEADER=Remote-Email
      - APP_DOC_URL=https://grist.mydomain.tld
      ...

Once it started up, it recognized the Authelia user and logged in immediately.

There you go. It’s far from a brief description but I hope it helps.

#4

Thanks for the details on your setup @Ray, very helpful! The GRIST_PROXY_AUTH_HEADER setting was contributed in Reverse proxy auth support by MHOOO · Pull Request #165 · gristlabs/grist-core · GitHub by Thomas Karolski and doesn’t cover signout (discussion here). I think support could be added by changing this function in MinimalLogin.ts:

to be more like the corresponding function in ForwardAuthLogin.ts:

I’d have expected that a ForwardAuthLogin setup like described in A template for self-hosting Grist with traefik and docker compose could have worked for you - but I see a note in its implementation that Redirection logic currently assumes a single-site installation and you have an o/orgname in your signed-out url that looks like you have a multi-site installation (GRIST_SINGLE_ORG not set). If that is the case, and you were willing to set GRIST_SINGLE_ORG, then you could perhaps use GRIST_FORWARD_AUTH_HEADER and GRIST_FORWARD_AUTH_LOGOUT_PATH to get this working without code changes.

1 Like
#5

Thanks for the tip @paul-grist . I actually only have a single site. No use-case for multi-site install at the moment. And so I have now set GRIST_ORG_IN_PATH=false and tried setting GRIST_FORWARD_AUTH_HEADER and GRIST_FORWARD_AUTH_LOGOUT_PATH.

While it did recognize the logout path, it’s not the way that I would’ve wanted. The whole logout URL - https://auth.mydomain.tld?rd=https://grist.mydomain.tld got appended to the Grist domain.

… described in A template for self-hosting Grist with traefik and docker compose could have worked for you

I saw this earlier but I figured it doesn’t seem to apply to my case. But looking into it again, it did gave me an idea to simply add a rewrite rule on the /signed-out path.

rewrite ^/signed-out$ https://auth.mydomain.tld/logout?rd=https://grist.mydomain.tld redirect;

And it worked! Quite happy how it turned out now.

1 Like