The proxy outpost sets the following user-specific headers:
The username of the currently logged in user
The groups the user is member of, separated by a pipe
The email address of the currently logged in user
authentik Default Admin
Full name of the current user
The hashed identifier of the currently logged in user.
Additionally, you can set
additionalHeaders on groups or users to set additional headers.
If you enable Set HTTP-Basic Authentication option, the HTTP Authorization header is being set.
Besides these user-specific headers, some application specific headers are also set:
authentik Embedded Outpost
The authentik outpost's name.
The authentik provider's name.
The authentik application's slug.
The authentik outpost's version.
Only in proxy mode
The original Host header sent by the client. This is set as the
Hostheader is set to the host of the configured backend.
The outpost listens on both 9000 for HTTP and 9443 for HTTPS.
If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
Login is done automatically when you visit the domain without a valid cookie.
When using single-application mode, navigate to
When using domain-level mode, navigate to
auth.domain.tld/outpost.goauthentik.io/sign_out, where auth.domain.tld is the external host configured for the provider.
To log out, navigate to
Allowing unauthenticated requests
To allow un-authenticated requests to certain paths/URLs, you can use the Unauthenticated URLs / Unauthenticated Paths field.
Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser.
The behaviour of this field changes depending on which mode you're in.
Proxy and Forward auth (single application)
In this mode, the regular expressions are matched against the Request's Path.
Forward auth (domain level)
In this mode, the regular expressions are matched against the Request's full URL.
Dynamic backend selection
You can configure the backend the proxy should access dynamically via Scope mappings. To do so, create a new Scope mapping, with a name and scope of your choice. As expression, use this:
Afterwards, edit the Proxy provider and add this new mapping. The expression is only evaluated when the user logs into the application.