Feature Request: Add support for authentication by reverse proxy

[max-tet]

When self-hosting multiple applications, you really want to have a single point for user management and authentication. It is annoying to login to each and every app seperately.

A pretty simple way to centralize authentication is achieved by deploying apps behind a reverse proxy, and use proxy auth. The proxy handles authentication in some way and sets http headers containing the username that was successfully logged-in. The apps read the headers and associate incoming requests to that user.

The perfect proxy auth feature for me would work like this:

1. Start shiori with additional environment variables:

• containing the name of the initial admin user (e.g. admin=admin_user)
• enabling proxy auth (e.g. proxy_auth=true)
• setting the key of the http header that contains the username (e.g. auth_header=X-Authenticated-User)

2. Configure the reverse proxy to authenticate incoming requests in any way you like.
3. Let the reverse proxy set X-Authenticated-User to the authenticated username on every request.
4. Shiori treats the requests as if they belong to the appropriate user session.
5. Bonus: if shiori does not know the username, it creates a new user with that name.

Other SSO methods like OIDC still require the user to login with each app, even it no credentials are required. It is still an additional step that is unneeded and hurting the user experience.

Additional context:
I am using Shiori for this product. Since this is a single-user platform, users really should see no login screen at all, not even for SSO.

[axelsimon]

Any progress or even intention on this? 🙂
Running shiori behind a reverse proxy currently fails. In my case, Caddy tries to follow a 301 redirect to /login?dst=%2F but ends up serving a blank page.