Using Kopia behind Authentik forward auth

Has anyone managed to set this up? It works fine over reverse proxy in traefik. But when adding a forward auth through Authentik, I cannot login. Authentik is forwarding me to Kopia UI just fine, but Kopia appears to not accept my credentials.

Yes, this is my configuration

Kopia’s compose.yaml (excerpt):

...
networks:
  - public
labels:
  traefik.enable: true
  traefik.http.services.kopia-svc.loadbalancer.server.port: 51515
  traefik.http.routers.kopia.entrypoints: websecure
  traefik.http.routers.kopia.rule: Host(`kopia.example.com`)
  traefik.http.routers.kopia.middlewares: authentik@file

traefik’s traefik.yaml (excerpt):

...
entryPoints:
  web:
    address: :80
    # -- (Optional) Redirect all HTTP to HTTPS
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
    http:
      tls:
        certResolver: production
        domains:
          - main: example.com
            sans:
              - '*.example.com'

certificatesResolvers:
  production:
    ...

...
providers:
  docker:
    exposedByDefault: false
    endpoint: unix:///var/run/docker.sock # or better use Docker Socket Proxy (https://github.com/Tecnativa/docker-socket-proxy)
    network: public
  file:
    directory: /etc/traefik/conf
    watch: true

traefik’s /etc/traefik/conf/headers.yaml:

http:
  middlewares:
    authentik:
      forwardAuth:
        address: http://<authentik-container-name>:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
          - authorization

In authentik:

• Add Kopia’s Web UI username and password as User or Group attribute, e. g.

  kopia_user: AzureDiamond
  kopia_password: hunter2
  

• Create a Proxy Provider
  • Select Forward auth (single application)
  • Open “Authentication seetings”
    • Put kopia_user (not the actual user name) into the HTTP-Basic Username Key field
    • Put kopia_password (not the actual password) into the HTTP-Basic Password Key field
• Create an Application and select the newly created provider
• Add the application to the embedded Outpost

Important: You need to delete existing cookies for kopia.example.com, otherwise it may not work.

Also see:

• Header authentication | authentik
• Traefik | authentik
• How to use Set HTTP-Basic Authentication? · Issue #4379 · goauthentik/authentik · GitHub