Skip to content
/ foundry-vtt-header-auth Public

Patches for Foundry VTT that allow logging in based on headers from an authentication proxy such as OAuth2 Proxy.

5 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

MaienM/foundry-vtt-header-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.github/workflows
.github/workflows
 
 
videos
videos
 
 
README.md
README.md
 
 
patches.sh
patches.sh
 
 

Repository files navigation

Foundry VTT - Header-based authentication

This project is a script that when ran patches the code of Foundry VTT such that it will use the headers that are provided by an authentication proxy to authenticate the users. This will completely replace password-based authentication, so make sure that all users will have the right headers set! Use this at your own risk.

Functionality

Based on the headers provided by the authentication proxy (see configuration) the user's username & roles are determined, and then the authentication proceeds as follows:

  • If the admin role is present the user is treated as an admin. They will be able to go to the setup, and they can login as any player. The player matching their username is preselected (if present) but not automatically logged in with.
  • If the player role is present the user is treated as a player. The player matching their username (if present) will be selected and automatically logged in. If no such player exists they will be unable to login.
  • If neither role is present the user will be presented with the login screen, but they will not be able to login since password-based authentication is disabled.

Examples

Logging in with admin access & joining the game:

admin-join.mp4

Logging in with admin access & going to the setup:

admin-setup.mp4

Logging in with player access & automatically joining the game:

player-join.mp4

Logging in with player access without a matching player in the game:

player-missing.mp4

Installation

This is intended to be used via the CONTAINER_PATCHES or CONTAINER_PATCH_URLS environment of felddy's foundryvtt-docker image, but it can probably also be used from outside of that with a bit of extra work.

You must already have an authentication proxy setup that providers headers to the application containing the username & roles (see the configuration section). This is not included in the example.

Example setup:

---
services:
  foundry:
    image: felddy/foundryvtt:13
    hostname: my_foundry_host
    volumes:
      - type: bind
        source: <your_data_dir>
        target: /data
    environment:
      - FOUNDRY_PASSWORD=<your_password>
      - FOUNDRY_USERNAME=<your_username>
      - CONTAINER_PATCH_URLS=<get_url_from_releases>
    ports:
      - target: 30000
        published: 30000
        protocol: tcp

Configuration

This script uses the following environment variables to determine what headers & roles to use. The default headers match those used by OAuth2 Proxy with the --set-xauthrequest option enabled.

Name Purpose Default
HEADER_USERNAME The header to look at for the username. Usernames are matched (ignoring case) with the names of the players in the game. x-auth-request-preferred-username
HEADER_ROLES The header to look at for the roles. x-auth-request-groups
HEADER_ROLES_SEPARATOR The symbol that is used to separate the roles in the header. ,
ROLE_PLAYER The role that marks someone as a player. role:foundry-vtt:player
ROLE_ADMIN The role that marks someone as an admin. role:foundry-vtt:admin

Check the wiki for more detailed (community-contributed) setup instructions.

About

Patches for Foundry VTT that allow logging in based on headers from an authentication proxy such as OAuth2 Proxy.

Resources

Readme
Activity

Stars

5 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases 3

v13.348.0 Latest
Sep 2, 2025
+ 2 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages