providers/proxy: set outpost session cookie to httponly and secure wh…

[BeryJu]

…en possible

Details

security improvement, possible issues when a provider has an external URL configured with HTTPS but is being accessed via HTTP, but that's not supported anyways

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)
• The translation files have been updated (make i18n-extract)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	6e5e7cf
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/64cea52682d10d00080260de

[rissson]

Maybe set samesite as well?

[BeryJu]

Maybe set samesite as well?

I just talked about that on discord too, SameSite could on theory break some SSO stuff, which is why the main server also sets it to Lax (allthough I think those issues only occurred with SAML)

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: -0.02% ⚠️

Comparison is base (50b2124) 92.48% compared to head (6e5e7cf) 92.45%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6482      +/-   ##
==========================================
- Coverage   92.48%   92.45%   -0.02%     
==========================================
  Files         561      561              
  Lines       27080    27080              
==========================================
- Hits        25041    25035       -6     
- Misses       2039     2045       +6     

Flag	Coverage Δ
e2e	51.60% <ø> (-0.02%)	⬇️
integration	26.56% <ø> (ø)
unit	89.27% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-providers-proxy-http-only-1691264971-6e5e7cf
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-providers-proxy-http-only-1691264971-6e5e7cf-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-providers-proxy-http-only-1691264971-6e5e7cf

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-providers-proxy-http-only-1691264971-6e5e7cf-arm64

Afterwards, run the upgrade commands from the latest release notes.