APIDemoOfficial SiteDiscord
Search…
Introduction
Want to help?
💾
Installation
Prerequisites
Installing Organizr
📌Getting started
First Time Setup
Tab Management
🤖
Features
Authentication Backend
Server Authentication
Nginx Server Authentication
Caddy Server Authentication
Traefik Server Authentication
SSO
Homepage
API Socks
Backup & Restore
Custom Error Pages
Fail2Ban Integration
🧪
Tweaks
Tweaks
Hide custom text from specific groups
Optimizing PHP-FPM
🆘
Help
Tutorials
FAQ
🌍 Development
Plugin Development
Powered By GitBook
Server Authentication
Proxy Authentication via Server Auth

Summary

Server Authentication will allow you to secure any/all location blocks at your web server/proxy level, only allowing authenticated Organizr users or administrators access.
Note that this method will only provide an Authorization layer but will not actually pass any Authentication information / credentials to the underlying back-end services, since this would require some cooperation from these services to understand it. So these services will still be accessed as a guest / unauthenticated user, but this is often good enough for many services.
Certain providers block wildcard cookies from being set which prevents this from working with subdomains. The most common of these is DuckDNS. For a full list see the bottom of this page.

Methodology

Using the Organizr authorization API

To utilize the block add auth_request /organizr-auth/$; See table below:
$
Organizr group_id
0
Admin
1
Co-Admin
2
Super User
3
Power User
4
User
5-997
Custom Groups
998
Any logged in user
999
Guest
For this to work, a URL rewrite directive needs to be added so that the static /organizr-auth/$ locations can be understood by Organizr's authentication API, i.e. use the /api/v2/auth/$1 format.

Using OAuth / JWT tokens

The first method has the drawback of making calls to Organizr's authorization API for each and every HTTP request made against your protected location blocks, therefore impacting performance.
This method allows you to securely trust the Organizr authentication simply based on the JWT token passed in your authenticated requests cookies. It does not require any extra roundtrip to the Organizr API, nor the rewrite directives.
The flow is as follows:
  1. 1.
    An unauthenticated user accesses Organizr UI and logs in, using any of the supported login methods.
  2. 2.
    After successful login, the browser will keep an authentication cookie generated by Organizr using the standard JSON Web Token (JWT) format. This signed token includes a number of claims (such as user id, group memberships etc) that the user has. For more info on this standard, visit https://jwt.io/
  3. 3.
    This cookie is then passed to any subsequent visit to your Organizr domain and subdomains.
  4. 4.
    Capable web servers can easily read the JWT token from this cookie and validate it to trust the user's identity and make an allow/deny decision based on the claims mentioned in the token.

Organizr JWT token structure

You can easily check the contents of Organizr-generated JWT tokens by inspecting your browser cookies and pasting the contents of the cookie named organizr_token_<uuid> to a JWT inspector such as https://jwt.io/
Once decoded, an Organizr token includes a JWT payload similar to this:
1
{
2
"iss": "Organizr",
3
"aud": "Organizr",
4
"jti": "4f1g23a12aa",
5
"iat": 1555553579,
6
"exp": 1556158379,
7
"username": "myusername",
8
"group": "Admin",
9
"groupID": 0,
10
"email": "[email protected]",
11
"image": "https://www.gravatar.com/avatar/901d703edb7a7f21a92ae87f29484d01?s=100&d=mm",
12
"userID": 1
13
}
Copied!
It includes various claims such as your user name, group name, user id, group id, which can all be used by your JWT-aware web server to make an authorization decision.

Validating the token

Of course, your web server should not blindly trust the content of the JWT token since it cold have been forged. In order to trust the token content, your web server will need to validate its signature. This requires the server to know a secret specific to your Organizr instance.
Since Organizr uses HS256 signature algorithm, which is a symmetric algorithm, the same secret is used to both by Organizr to sign the token, and by your web server to validate it. It is therefore important that you keep this secret safe, otherwise it may be used to forge tokens and authenticate to your server!
This requires the following 2 pieces of information:
  • The name of the cookie to use to extract the token from. This value is dynamic, of the form organizr_token_<uuid> where <uuid> is your Organizr instance's $this->config['uuid'] value.
  • The secret to use to validate the token signature, which is your Organizr instance's $this->config['organizrHash'] value.
Both these values can be taken from your Organizr server's www/Dashboard/api/config/config.php after initial setup.
On Linux, you may use the following commands to parse them:
1
cat /config/www/Dashboard/api/config/config.php | grep organizrHash | sed -r 's/.*=>[^[:alnum:]]*([[:alnum:]]*).*/\1/'
2
cat /config/www/Dashboard/api/config/config.php | grep uuid | sed -r 's/.*=>[^[:alnum:]]*([[:alnum:]-]*).*/\1/'
Copied!

Providers that block wildcard cookies

1
ddns.net
2
ddnsking.com
3
3utilities.com
4
bounceme.net
5
duckdns.org
6
freedynamicdns.net
7
freedynamicdns.org
8
gotdns.ch
9
hopto.org
10
myddns.me
11
myds.me
12
myftp.biz
13
myftp.org
14
myvnc.com
15
noip.com
16
onthewifi.com
17
redirectme.net
18
serveblog.net
19
servecounterstrike.com
20
serveftp.com
21
servegame.com
22
servehalflife.com
23
servehttp.com
24
serveirc.com
25
serveminecraft.net
26
servemp3.com
27
servepics.com
28
servequake.com
29
sytes.net
30
viewdns.net
31
webhop.me
32
zapto.org
Copied!
Previous
LDAP Backend
Next
Nginx Server Authentication
Last modified 8mo ago
Export as PDF
Copy link
Contents
Summary
Methodology
Using the Organizr authorization API
Using OAuth / JWT tokens
Providers that block wildcard cookies