Struggling with basic auth without using labels

[lnlyssg]

I've just started on a migration from Authentik to Pocket-ID and Tinyauth, although it's mostly going OK I'm struggling with a few areas as the docs are very heavily focused on labels everywhere which is not how I currently do things. Specifically when it comes to basic auth what exactly would I need to do in order get a user, password or the equivalent of tinyauth.basic.password.file into the system for an app like NZBGet?

[steveiliop56]

Hello,

In order to use basic auth the protected app has to support it. Looking at the docs of NZBGet, I couldn't find any references to basic auth.

[mswillia]

So overall, I think the question is: Does TinyAuth support configuration using anything other than labels. I think the answer to that is no, and there is no intent to change this from my understanding.

See https://tinyauth.app/docs/about#future-plans

I am not planning to add any fancy dashboards or configuration files since I do not want to change the project's base idea.

[steveiliop56]

As @mswillia said ACLs are only supported with labels. There was an attempt to add configuration through proxy headers but it turned out to be insecure and an overall bad idea.

[lnlyssg]

I feared as much :( Personally this is a huge shame as, except for this particular issue, I've been very happy with everything else that Tinyauth does and I've managed to configure it all to fit my existing Caddy set-up without needing to use labels at all. Some of my basic auth services are not actually running in containers so this is a deal-breaker for me so it looks like I'll have to use caddy-security instead which doesn't look anywhere near as simple as Tinyauth!

I'd like to suggest one small change to the docs and that would be to highlight the "mandatory" use of labels (and indeed Docker) for anything more than a basic set-up on the Get Started page.

[steveiliop56]

If you are running Tinyauth in docker then with v4 you will be able to place the labels in the Tinyauth container itself to do ACLs for non containerized apps. Would that be beneficial in your use case?

[lnlyssg]

I suspect not as I don't think there would then be a way of getting the label contents into my current Caddyfile (I'm not willing to switch my set-up to caddy-docker-proxy). I think that's the end of my Tinyauth adventure, it's a great project, just a shame it's not for me :)

[lnlyssg]

In case anyone comes across this via Google: since I posted this Tinyauth has moved on a lot and I've been able to successfully set up basic auth using environment variables in my Docker compose and passing the headers to the service(s) using the following Caddyfile snippet and example:

(tinyauth) {
	forward_auth xxx.xxx.x.xx:3003 {
		uri /api/auth/caddy
		copy_headers Authorization Remote-Email Remote-Name Remote-User Remote-Groups
	}

	reverse_proxy {args[0]}
}

sonarr.mydomain.com {
	import tinyauth http://xxx.xxx.x.xxx:8989
}