From bec2add16b1a6c6241d5ecce44afdf635d994d64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Sat, 15 Nov 2025 20:29:46 +0100
Subject: [PATCH] fix: configure CookieSession strategy for forward-auth
 endpoint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added server.endpoints.authz.forward-auth configuration to explicitly
use CookieSession authentication strategy. This ensures browsers
receive HTTP 302 redirects instead of HTTP 401 responses when
accessing protected services while unauthenticated.

Without this configuration, the forward-auth endpoint was returning
401 with Location headers, which browsers don't automatically follow.
With CookieSession strategy, GET requests from browsers will now
receive 302 redirects that automatically redirect to the Authelia
login page.

Authentication strategy order:
1. CookieSession - for browser users (returns 302 redirects)
2. HeaderAuthorization - for API clients (returns 401 with headers)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 net/authelia/configuration.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/authelia/configuration.yml b/net/authelia/configuration.yml
index 621617c..352f40f 100644
--- a/net/authelia/configuration.yml
+++ b/net/authelia/configuration.yml
@@ -9,6 +9,13 @@ server:
   address: "tcp://:9091"
   headers:
     csp_template: ""
+  endpoints:
+    authz:
+      forward-auth:
+        implementation: 'ForwardAuth'
+        authn_strategies:
+          - name: 'CookieSession'
+          - name: 'HeaderAuthorization'
 
 log:
   level: info