SSO on domain level but applications per subdomain (forward-proxy)

[spali]

Hi
I got a domain level forward auth setup working with traefik and the embedded outpost.
And also had a example for single application working.

But I'm asking me if I missed something...
shouldn't it be at least technical possible to have a domain wide authentication (i.e. on auth.example.com) which authenticates the domain example.com (cookie for the domain and all subdomains), but allow to configure the access per application subdomain (myapp.example.com)?

Maybe this is already possible and I missed that or are there any limitations that prevents authentik from implement something like that or would this be possible with the authentik provided proxies?

As an explanation for my use-cases:
Have everything behind traefik.

• dumb application without any authentication at all or disabled authentication when not needed, for them I would love to just allow/disallow access per user in authentik.
• half dump application that have their own login, but can maybe be tricked by providing a token or basic auth header, that could be set in the proxy to "forward" (force login) the user to the application.
• applications that just want to do their auth by them self with at least the possibility to use authentik as provider. They are forced to login in the app itself (without authentik SSO).
• applications that are configurable to trust the proxy headers to do something with the authentication, they need just authentication and consume the provided user and groups.

Would love to have authentik as authentication for the whole domain including remember the user across applications and optionally generate auth headers for half dump applications.
But still the possibility to define the application access in authentik per user/group centrally.

[schnillerman]

This might help:

• Forward auth (domain level) throws error when cookie domain is subdomain #5364
• https://www.reddit.com/r/Authentik/comments/1460g3z/domain_level_forward_auth_problem/