From 85b7b101a6a7d3dc209a4ab77b1cb4c3d31e5ff7 Mon Sep 17 00:00:00 2001 From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com> Date: Mon, 5 May 2025 19:18:32 -0500 Subject: [PATCH] update reference config and auth docs --- docs/docs/configuration/authentication.md | 8 ++++++++ docs/docs/configuration/reference.md | 5 ++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/docs/configuration/authentication.md b/docs/docs/configuration/authentication.md index 129547d1b..6ddd062fd 100644 --- a/docs/docs/configuration/authentication.md +++ b/docs/docs/configuration/authentication.md @@ -109,6 +109,14 @@ proxy: Frigate supports both `admin` and `viewer` roles (see below). When using port `8971`, Frigate validates these headers and subsequent requests use the headers `remote-user` and `remote-role` for authorization. +A default role can be provided. Any value in the mapped `role` header will override the default. + +```yaml +proxy: + ... + default_role: viewer +``` + #### Port Considerations **Authenticated Port (8971)** diff --git a/docs/docs/configuration/reference.md b/docs/docs/configuration/reference.md index f03c668cd..dbea03678 100644 --- a/docs/docs/configuration/reference.md +++ b/docs/docs/configuration/reference.md @@ -78,16 +78,19 @@ proxy: # Optional: Mapping for headers from upstream proxies. Only used if Frigate's auth # is disabled. # NOTE: Many authentication proxies pass a header downstream with the authenticated - # user name. Not all values are supported. It must be a whitelisted header. + # user name and role. Not all values are supported. It must be a whitelisted header. # See the docs for more info. header_map: user: x-forwarded-user + role: x-forwarded-role # Optional: Url for logging out a user. This sets the location of the logout url in # the UI. logout_url: /api/logout # Optional: Auth secret that is checked against the X-Proxy-Secret header sent from # the proxy. If not set, all requests are trusted regardless of origin. auth_secret: None + # Optional: The default role to use for proxy auth. Must be "admin" or "viewer" + default_role: viewer # Optional: Authentication configuration auth: