Disable S3 Pre-Signed URLs In Authentik: A Performance Boost

Are you experiencing slow loading times in your Authentik instance when using S3 for media storage? Specifically, are you seeing delays when accessing the /applications endpoint? If so, you're not alone. Many users who leverage S3's capabilities with Authentik have encountered this issue, which often stems from the pre-signing of media URLs. This article delves into the problem, explores a potential solution, and provides a detailed guide on how to disable pre-signing icons with S3 in Authentik to significantly improve performance.

Understanding the Issue: Pre-signed URLs and Performance Bottlenecks

When Authentik is configured to use S3 as its media backend, it typically generates pre-signed URLs for accessing media files, including icons. Pre-signed URLs offer a secure way to grant temporary access to objects stored in S3 without making them publicly accessible. However, this process of generating pre-signed URLs can introduce latency, especially when dealing with a large number of requests, such as when loading the /applications endpoint. Each icon request requires Authentik to generate a unique pre-signed URL, which involves cryptographic operations and communication with the S3 service. In scenarios where S3 performance is a bottleneck, or when you have already configured public access permissions on your S3 bucket, this pre-signing process becomes an unnecessary overhead. The delay caused by pre-signing can lead to a frustrating user experience, with load times stretching to 15-20 seconds or even longer.

This issue is particularly pronounced when using Ceph Rados Gateway for S3 storage, as performance limitations within the gateway can exacerbate the problem. However, the underlying principle applies to any S3 implementation: if you've already configured your S3 bucket to allow public access, the pre-signing mechanism becomes redundant and detrimental to performance. Therefore, understanding how to disable pre-signing icons is crucial for optimizing your Authentik instance.

The Solution: Disabling Pre-signing for Publicly Accessible Buckets

The most effective solution to this performance bottleneck is to disable pre-signing of media URLs in Authentik when your S3 bucket has public access permissions. By serving raw S3 URLs directly, you eliminate the overhead associated with generating pre-signed URLs, leading to a significant improvement in loading times. This approach is particularly beneficial when you've already configured your S3 bucket with permissions that allow unauthenticated access to objects, such as granting GetObject, ListBucket, and GetBucketLocation permissions to *. In this configuration, Authentik's pre-signing mechanism becomes superfluous, as the S3 bucket itself handles access control.

Disabling pre-signing allows Authentik to directly construct URLs pointing to the media files in your S3 bucket, bypassing the need for cryptographic operations and communication with the S3 service for each request. This streamlined process translates to faster response times, especially when loading pages that display numerous icons or media elements. For instance, the /applications endpoint, which often suffers from slow loading times due to icon pre-signing, will experience a noticeable performance boost. Users will observe quicker page loads and a more responsive user interface, enhancing their overall experience with Authentik.

Implementing the Solution: A Step-by-Step Guide

Unfortunately, Authentik may not have a built-in option within its administrative interface to directly disable pre-signing for S3 media URLs. However, there might be configuration settings or environment variables that can be adjusted to achieve the desired outcome. The specific steps may vary depending on the Authentik version and your deployment environment, but the general approach involves identifying the relevant configuration parameters and modifying them to bypass the pre-signing process.

1. Identify Relevant Configuration Settings: Begin by examining Authentik's configuration files, environment variables, and database settings for any parameters related to S3 media storage and URL generation. Look for settings that control the use of pre-signed URLs or the generation of media URLs in general. Keywords to search for include "pre-sign," "S3 URL," "media URL," and similar terms. Refer to Authentik's official documentation and community forums for guidance on available configuration options.

2. Explore Environment Variables: Authentik often uses environment variables to configure various aspects of its behavior. Check if there are any environment variables that control S3 pre-signing. For example, there might be a variable like AUTHENTIK_S3_PRESIGN_ENABLED that can be set to false to disable pre-signing. Consult Authentik's documentation or source code for a list of supported environment variables and their effects.

3. Modify Configuration Files: If environment variables don't provide the necessary control, investigate Authentik's configuration files. These files typically contain settings that govern how Authentik interacts with external services, including S3. Look for sections related to media storage or S3 configuration and identify any parameters that influence URL generation. Modify these parameters to disable pre-signing, if possible.

4. Database Configuration: In some cases, Authentik might store configuration settings in its database. If you're comfortable working with databases, you can try querying the database for relevant settings and modifying them directly. However, exercise caution when modifying database entries, as incorrect changes can lead to instability or data loss. Back up your database before making any changes.

5. Code Modification (Advanced): As a last resort, if no other options are available, you might consider modifying Authentik's source code to disable pre-signing. This approach requires advanced programming skills and a deep understanding of Authentik's codebase. It's also important to note that code modifications can make it more difficult to upgrade Authentik in the future. If you choose this route, be sure to thoroughly test your changes and document them carefully.

Once you've identified and modified the appropriate configuration settings, restart Authentik to apply the changes. Monitor the /applications endpoint and other areas of your Authentik instance to verify that pre-signing is disabled and that performance has improved.

Alternatives Considered: Evaluating the file Backend

As an alternative to disabling pre-signing, you might consider switching to the file backend for media storage. The file backend stores media files directly on the Authentik server's file system, eliminating the need for S3 and pre-signed URLs altogether. This approach can be simpler to configure and may offer better performance in some scenarios, particularly if you have limited S3 performance or want to avoid the complexity of managing S3 buckets and permissions. However, the file backend also has its drawbacks. It can consume significant storage space on your Authentik server, and it may not be suitable for large-scale deployments or environments where media files need to be shared across multiple Authentik instances. Additionally, the file backend lacks the scalability and redundancy of S3, making it less resilient to failures.

Before switching to the file backend, carefully evaluate your requirements and weigh the pros and cons of each approach. Consider factors such as storage capacity, performance needs, scalability requirements, and disaster recovery considerations. In many cases, disabling pre-signing for publicly accessible S3 buckets offers the best balance of performance, scalability, and security.

Conclusion: Optimizing Authentik Performance with S3

Disabling pre-signing of media URLs in Authentik when using S3 with public access permissions can significantly improve performance, particularly for endpoints like /applications that display numerous icons or media elements. By serving raw S3 URLs directly, you eliminate the overhead associated with generating pre-signed URLs, leading to faster loading times and a more responsive user interface. While Authentik may not provide a direct option to disable pre-signing, you can often achieve this by modifying configuration settings, environment variables, or, as a last resort, the source code. Remember to thoroughly test any changes and consult Authentik's documentation and community forums for guidance.

By understanding the issue of pre-signed URLs and implementing the appropriate solution, you can optimize your Authentik instance for maximum performance and deliver a seamless user experience. For further information on S3 security best practices, consider visiting the Amazon S3 Documentation.