It seems that it is no longer possible to deactivate the password on GUI on the latest versions of duplicati. This deactivation allowed me to configure a reverse proxy upstream of duplicati, which took care of authentification by relying on my Identidy providers, and this allowed me to use my SSO (and therefore not have to enter a password :p). Are there any plans to re implement this functionality? (I had to roll back to the previous, so I’m still using version 2.0.8 for now).
Hi @Jga, welcome to the forum.
No, there are no plans to disable the need for an API password for two reasons:
- It is a major “foot-gun” for default setups
- Supporting two different authentication modes makes it more likely there are mistakes
I think this is a valid use case where you control the flow and essentially provide the authentication mechanism.
Not sure how to best support it though, ideas are appreciated.
One way would be to add support for generating an “eternity token”. The reverse proxy can then inject the bearer token on all request so they are always authenticated.
Would that work for your setup?
Hello,
Thank you for your feedback and your job on duplicati
Indeed, configuration problems can occur for users with little knowledge on the subject.
The default configuration could impose a password, the idea is rather to be able to disable it in advanced settings.
The other solution I see is to implement OIDC management directly in the application. It’s clearly not the same job.
The solution of injecting an HTTP header containing a token that would act as a service account would also work for me.
Super, I have created an issue for supporting forever tokens.
Hello,
I see the release note of v2.1.0.3_beta_2025-01-22 ans the issue-forever-token has been released thanks for that. I try to deploy this release but i don’t see the option in the advance option setting and documentation. If you have the opportunity to provide me this information on how to set up this duplicati side, I’d love to hear from you
Hi @Jga, yes it is included, but it requires three steps to get working:
- Stop Duplicati and start the
duplicati-server
with--webservice-enable-forever-token=true
- Run
server-util issue-forever-token
- Stop Duplicati and start without
--webservice-enable-forever-token
The first step enables the option to generate one “forever token” pr. server start.
The second step connects to the server and issues the token.
The third step ensures that you do not leave the option open to generate more tokens in the future.
Once you obtain the token, you need to pass it to each request with the header:
Authorization: Bearer <token>
I have updated the documentation for ServerUtil to mention the forever tokens.
Thank you very much for all your work.
I use docker to instantiate this service and I confess I have never used server-util.
Going through the documentation in my case, I understand that I have to add the environment variable at container startup.
- DUPLICATI__WEBSERVICE_ENABLE_FOREVER_TOKEN=true
I don’t understand how I can access server-utils though. Browsing directly in the container tree with docker exec, I the command is not present and the environment variable - CLI_ARGS= does not seem to work either.
Could you also tell me how to display this token so that I can add it to my reverse proxy configuration?
Thank you for your help and sorry for asking such questions.
The binary is in in /opt/duplicati/duplicati-server-util
. You should be able to execute it with docker exec.
The CLI_ARGS
is a linuxserver thing, and you can use it to set --webservice-enable-forever-token=true
, but environment variables work as well.
If I understand the question, this will reveal itself once the duplicati-server-util
has executed.
No problem, the forum is here to ask and answer questions
Hello,
Thank you again for all your feedback and your kindness.
It works now.I had looked rather classically in /opt but there was nothing, in fact the image which I use is as you guessed that of linux server image and the binary server utils is located of /app.
Thanks to your indications I was able to move on.
Just to understand the instantiation of the functionality. After setting it up and checking that I was sending the right http headers to duplicati (via the mendhak/http-https-echo docker image). I have the impression that despite sending the perpetual token I still need to type the password once (but after typing it once I never need to type it again). Is this the case or is it a problem on my end? Once the token is perpetual, is it possible to disable the password completely?
It sounds like the forever-token is not working. The process you describe is the “regular” way, where it stores cookie with a long-term token. When you access the page, this is activated and logs you in without a password (similar to how Google or Facebook works).
The forever-token does not yet work correctly with the UI. We are working on getting an updated login flow that can also detect pre-authenticated logins.