Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO Support? #11

Open
alyx opened this issue Mar 9, 2022 · 6 comments · May be fixed by #78
Open

SSO Support? #11

alyx opened this issue Mar 9, 2022 · 6 comments · May be fixed by #78
Labels
help wanted Extra attention is needed

Comments

@alyx
Copy link

alyx commented Mar 9, 2022

Somewhat related to #2, maybe a different direction to think about.

Would it be worth integrating some form of SSO (e.g. OAuth2) in addition to/instead of direct registrations? Besides the obvious benefit of "allowing an easier way to integrate with an existing stack", could also solve the issue of limiting registration by just making who can register be a different platform's problem -- for generic SSO, would be reasonable enough to just assume anyone who's in the SSO system could access; for specific SSO options (e.g. GitHub), could have options for limiting to users who are members of certain orgs or whatnot.

Something like Passport.js could be used to accomplish most of this
@MaxLeiter
Copy link
Owner

Yeah, this is a great idea, just not something I intended to have finished in the near future. I haven't used passport but it seems fairly easy to figure out

@MaxLeiter MaxLeiter added the help wanted Extra attention is needed label Mar 9, 2022
@MaxLeiter
Copy link
Owner

@alyx in another project I contribute to we're moving forwards with implementing header auth, so SSO can be done at the reverse proxy level. Do you have any thoughts on this?

the PR is thelounge/thelounge#4447

@alyx
Copy link
Author

alyx commented Mar 9, 2022

I think this seems like a pretty reasonable idea actually. Looks like it would save a lot of time on the developer-side of things since Drift wouldn't need to deal with the entire spectacle of integrating SSO and means admins could just play with their HTTPd configs to rig it how they'd like. I'd +1 this idea

@adyanth
Copy link

adyanth commented Mar 28, 2022

As long as the header is configurable, should be all good. A traefik+traefik-forward-auth can talk to any OIDC IdP and provide the username/mail in X-Forwarded-User

@MaxLeiter
Copy link
Owner

Are there any security considerations that need I need to make, or can I assume if a valid header is provided the user is authed/trusted?

@adyanth
Copy link

adyanth commented Mar 28, 2022

When implementing header only authorization, that burden lies on the reverse proxy. Application cannot distinguish it one way or another. You sure need to call that out as something to look out for in the docs.

Ex: Traefik copies the headers from the forwardAuth middleware overwriting anything that might have been present before.

Cloudflare guarantees that the Cf-Connecting-User is set for all requests proxied behind zero trust and to be non overridable.

@MaxLeiter MaxLeiter linked a pull request Apr 9, 2022 that will close this issue
Open
@MaxLeiter MaxLeiter modified the milestone: 1.0 Nov 21, 2022
@MaxLeiter MaxLeiter moved this to In Progress in Drift - Road to 1.0 Nov 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
Drift - Road to 1.0
Status: In Progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add header authentication for SSO MaxLeiter/Drift
3 participants
@alyx @MaxLeiter @adyanth