how do I use the built in reverse proxy provider and make an application open to the public?

[amlucent]

Attempting to migrate from Authelia + NPM to Authentik built in reverse proxy to reduce complexity... I think I can do this via the Authorization Policy Bindings but I cant seem to figure out how? Currently no policy or user/group is required but you must still put in a userid/pass into authentik.

Authorization
Application access can be configured using (Policy) Bindings. Click on an application in the applications list, and select the Policy / Group / User Bindings tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. You can use this to grant access to one or multiple users/groups, or dynamically give access using policies.

By default, all users can access applications when no policies are bound.

When multiple policies/groups/users are attached, you can configure the Policy engine mode to either

Require users to pass all bindings/be member of all groups (ALL), or
Require users to pass either binding/be member of either group (ANY)

Related question, I use Vaultwarden with its own internal list of users and auth. I want to allow any traffic to that application https://vaultwarden.example/#/ but I would like to restrict the administration portal https://vaultwarden.example/admin/ via a policy binding.

[amlucent]

The best way I have found to do this is to edit the provider and make a blanket regex in the "unauthenticated paths" section for all paths like "^/.*"

If anyone has a better or more elegant way to recommend I would appreciate it.

[sevmonster]

What you want is possible but not optimal as authentik really is best utilized behind a reverse proxy of some sort. But you are on the right track with regex, you could use negative lookahead ^/(?!admin/).* to not match the /admin/ route as you mentioned.

[amlucent]

added ^/(?!admin/).* instead of "/.* to the vaultwarden provider as you suggested. No joy, this seems to make authentik prompt unauthenticated users for login for both /admin and /. confirmed the same behavior on 2023.5.3

[lazy-media]

Try this.

TO BE CLEAR: I am using Vaultwarden in a docker container using the vaultwarden/server image. I am also using Authentik to handle all traffic with no middle man like NPM or Traefik. These results may vary depending on your setup but this is what I have found to work for me. This enabled the whole user interface for me but blocked the admin section by Authentik.

^/$
^/#/.*
^/#/login
^/#/2fa
^/api/.*
^/images/.*
^/identity/.*
^/app/.*
^/*.js
^/locales/.*

[sevmonster]

added ^/(?!admin/).* instead of "/.* to the vaultwarden provider as you suggested. No joy, this seems to make authentik prompt unauthenticated users for login for both /admin and /.

Are you sure you are visiting /admin? Because the regex is for /admin/. If that's the case remove the last slash and try again. Or try ^/(?!admin(?:/|$)).*.

I am using Nginx and don't have a setup that would work with Authentik reverse proxying (I really don't see the justification to use it at all when dedicated reverse proxies are a much better idea, c.f. this instance) so I can't test anything.

Try this.

^/#/.*
^/#/login
^/#/2fa

These probably will not do anything because URI fragments are not sent to the server.

^/*.js

You probably want ^/.*\.js here.