Setting Up Authentication
Last updated
Last updated
💬 We offer to set up, integrate, and maintain ArchiveBox with your org's auth & hosting. If you need support, advanced development to capture difficult sites, audit logging, and more, we can provide it! We use this revenue (from corporate clients who can afford to pay) to support open source development and keep ArchiveBox free.
ArchiveBox supports several types of authentication for users logging in via the Admin Web UI or REST API.
Use these three options to set up your desired permissions for non-admin guest users:
: Default allows non-logged-in users to see Snapshot list
: Default allows non-logged-in users to see Snapshot content
: Default doesn't allow non-logged-in users to submit new URLs
[!NOTE] Open source ArchiveBox does not support setting up non-admin users & groups with custom permissions. We do offer this feature, audit logging, and more to .
You need a user account to access the Admin UI, you can run the commands below to create/edit a user from the CLI:
Set these ArchiveBox configuration values based on your reverse proxy setup and needs:
https://github.com/ArchiveBox/ArchiveBox/wiki/Configuration#reverse_proxy_user_header
https://github.com/ArchiveBox/ArchiveBox/wiki/Configuration#reverse_proxy_whitelist
https://github.com/ArchiveBox/ArchiveBox/wiki/Configuration#logout_redirect_url
https://github.com/ArchiveBox/ArchiveBox/pull/866
First, pip-install the ldap add-on to use this feature (not needed for Docker Archivebox).
Then set these configuration values to finish configuring LDAP:
https://github.com/ArchiveBox/ArchiveBox/wiki/Configuration#ldap
https://github.com/ArchiveBox/ArchiveBox/pull/1214
https://github.com/django-auth-ldap/django-auth-ldap#example-configuration
https://jumpcloud.com/blog/what-is-ldap-authentication
We'd welcome PRs to add support for these using
django-allauth!
The IdP server can act as a middleman gateway to authenticate users using an external SAML/OAuth/OpenID/etc. provider (e.g. Google, Microsoft, Github, Facebook, etc.), and then pass on the authenticated user's session info to ArchiveBox using LDAP or reverse proxy headers (as described above).
https://www.cloudflare.com/learning/access-management/what-is-saml/
https://docs.goauthentik.io/docs/providers/saml/
https://docs.goauthentik.io/docs/providers/oauth2/
https://www.authelia.com/configuration/identity-providers/introduction/#openid-connect-10
https://github.com/oauth2-proxy/oauth2-proxy
https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview
The REST API (available starting in v0.8.0) supports several methods of authentication for convenience.
or by calling the http://127.0.0.1:8000/api/v1/auth/get_api_token endpoint with a username & password:
[!TIP] Bearer Tokens are the recommended method for the best balance of security and convenience.
Pass Authorization=Bearer YOURAPITOKENHERE as a request header.
This method is provided in case you have a reverse proxy in front of ArchiveBox that consumes the bearer header.
Pass X-ArchiveBox-API-Key=YOURAPITOKENHERE as a request header.
Pass api_key=YOURAPITOKENHERE as a GET/POST query parameter.
[!CAUTION] We recommend sticking to header-based authentication and not using this method unless you deeply understand the CSRF/CORS security risks. This method is mostly useful when accessing the API from external apps where CSRF/CORS is not a concern (e.g.
curl, mobile apps, other servers, etc.).
Log in via the Admin Web UI: /admin/login/, you can then re-use your login session id (stored in the sessionid cookie) for REST API requests. By default, this only allows you to make requests from the same domain ArchiveBox is being served on (e.g. from browser devtools open on an ArchiveBox page or CLI tools).
Pass your ArchiveBox admin username & password via HTTP Basic Authentication.
[!TIP] If using Docker, you can set to auto-create an admin account on first run.
Existing users can be managed from the Admin UI here: , and you can change your password in the UI here: .
Can be used with a reverse proxy auth provider like , , , and others.
Can be used with an SSO provider like , , , , and others.
These methods are not natively supported by ArchiveBox at the moment. However it is still possible to use them with ArchiveBox by running your own server to act as a bridge (e.g. , , ).
To see API docs, try endpoints interactively, and see how auth works, visit this URL on your ArchiveBox server:
To get started using the REST API, you can generate an API key for your user in the Admin Web UI:
[!WARNING] This method is sometimes known as because anyone in possession of the URL can perform API actions. It comes with and is not recommended unless you fully understand the risks.
Browsers enforce that requests made to the ArchiveBox API from other origins will not include any session cookies by default. This is is a that protects you from API requests being initiated by JS on websites you don't control (aka CSRF/CORS attacks).
To allow incoming POST/PUT/DELETE requests from other domains that you trust, you must add them to in the archivebox/core/settings.py source code on your machine ( and explain your use-case for help).
[!CAUTION] This method is fairly uncommon and is only useful in a few niche situations where the other methods are not available. We will likely remove this method in a future ArchiveBox release if nobody uses it. If you rely on this method and want us to keep it, please and explain your use-case!
The ArchiveBox API auth implementation: +
The (which powers our API)
The for the interactive API Docs UI