I use linkding as my self-hosted bookmark manager, it’s easy to set up and maintain as a Docker image, can send any bookmark to archive.org, but also provides a version with a Chromium browser running to create locally hosted archives of any bookmark. Too many sites nowadays change frequently, and either delete content, change addresses without proper redirects in place, and search engines are becoming worse and worse over time. So I’m happy about that feature, especially since the data is also available locally. You can also use it as a read-it-later service and mark bookmarks as unread.

Cloudflare Access

Anyway, what I wanted to quickly note down is how to automatically log in to linkding with the credentials Cloudflare Access is using, if that’s set up in front of a linkding instance. I’m using Cloudflare Access with Okta and can leverage the headers Cloudflare sends to linkding to be logged in automatically.

linkding Configuration

The important bit is the environment variable LD_ENABLE_AUTH_PROXY (link to the docs)

I’m running linkding in kubernetes, so here’s how it looks in my YAML file, but the environment variables and values are the things to copy into a Docker Compose file or any other installation method:

containers:
- image: sissbruecker/linkding:latest-plus
  imagePullPolicy: ""
  name: linkding
  env:
    - name: LD_ENABLE_AUTH_PROXY
      value: "True"
    - name: LD_AUTH_PROXY_USERNAME_HEADER
      value: "HTTP_CF_ACCESS_AUTHENTICATED_USER_EMAIL"
    - name: LD_AUTH_PROXY_LOGOUT_URL
      value: "https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/logout"

I struggled a bit with the HTTP_CF_ACCESS_AUTHENTICATED_USER_EMAIL part, since I didn’t really read the docs carefully enough. That's also why I'm writing this down here, perhaps just for future me to find it again.

Cloudflare sends the header cf-access-authenticated-user-email with the username from the identity provider to the origin server, and linkding needs to have it configured in all uppercase, with dashes replaced by underscores, and prefixed with HTTP_.

That’s it! Now if you open up your linkding instance you’ll automatically be logged in as the user from your IdP.