Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support auth via reverse-proxy headers #90

Closed
weaversam8 opened this issue Feb 21, 2024 · 2 comments
Closed

Support auth via reverse-proxy headers #90

weaversam8 opened this issue Feb 21, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@weaversam8
Copy link
Contributor

OtterWiki currently authenticates users based on the sqlite database it maintains. If hosted in a corporate environment, it may be beneficial to install a reverse-proxy that handles authentication (with SSO, etc...) and then grants the user access to the wiki.

This is technically possible today, but you lost the semantics of tracking which user is editing the wiki. I'd like to propose a configuration option that would allow OtterWiki to use values provided by trusted HTTP headers instead. Maybe something like:

  • X-OtterWiki-Email - The email address of the user
  • X-OtterWiki-Username - The "name" of the user attached to the commit
  • X-OtterWiki-Role - The role of the user, to control access.
@redimp
Copy link
Owner

redimp commented Feb 21, 2024

Great idea. Adding an auth method that relies on HTTP Headers should be straight forward. To make this even more flexible the headers should be completly configurable.

Which Idenity Providers do support this nowadays? I know authentik does.

@redimp redimp changed the title Support for a reverse-proxy Support auth via reverse-proxy headers Feb 21, 2024
@redimp redimp added the enhancement New feature or request label Feb 21, 2024
weaversam8 added a commit to Phonebooth/otterwiki that referenced this issue Mar 6, 2024
@weaversam8
Closes redimp#90. Proof of concept for reverse-proxy auth.
3ed05d5 
- This commit adds a new auth manager class for authorizing via proxy
  headers `ProxyHeaderAuth` which can be selected by setting the
  `AUTH_METHOD` env var to `PROXY_HEADER`

    - This auth manager looks for the following headers in order to
      create a "pseudo-user" on each request. No users are committed to
      the SQLite database when using this auth manager.

        - `X-OtterWiki-Name` - the name of the user to include on the
          Git commit when editing a page
        - `X-OtterWiki-Email` - the email of the user to include on the
          Git commit when editing a page
        - `X-OtterWiki-Permissions` - a comma separated list of
          permissions to grant to the user

    - The Docker `entrypoint.sh` script has been updated to pass the
      `AUTH_METHOD` config option thru if set in the environment.

- `has_permission(permission, user)` is now a method specific to each
  auth manager

- auth managers now implement a `supported_features()` method to detail
  which features they support (like whether an auth manager allows a
  user to change their name or password, or logout)

    - the features object this method returns is present in all Jinja
      templates as the variable `auth_supported_features`

    - the settings page was updated to prevent a user from editing their
      password and name if it is not supported by the current auth
      manager.

    - the dropdown menu present on all page was updated to hide the
      "logout" button if it is not supported by the current auth manager

- The `test_settings.py` test was updated to tolerate extra whitespace
@weaversam8
Copy link
Contributor Author

See #95 for a crack at solving this problem.

redimp pushed a commit that referenced this issue Mar 10, 2024
@weaversam8 @redimp
Closes #90. Proof of concept for reverse-proxy auth.
b3a9dc3 
- This commit adds a new auth manager class for authorizing via proxy
  headers `ProxyHeaderAuth` which can be selected by setting the
  `AUTH_METHOD` env var to `PROXY_HEADER`

    - This auth manager looks for the following headers in order to
      create a "pseudo-user" on each request. No users are committed to
      the SQLite database when using this auth manager.

        - `X-OtterWiki-Name` - the name of the user to include on the
          Git commit when editing a page
        - `X-OtterWiki-Email` - the email of the user to include on the
          Git commit when editing a page
        - `X-OtterWiki-Permissions` - a comma separated list of
          permissions to grant to the user

    - The Docker `entrypoint.sh` script has been updated to pass the
      `AUTH_METHOD` config option thru if set in the environment.

- `has_permission(permission, user)` is now a method specific to each
  auth manager

- auth managers now implement a `supported_features()` method to detail
  which features they support (like whether an auth manager allows a
  user to change their name or password, or logout)

    - the features object this method returns is present in all Jinja
      templates as the variable `auth_supported_features`

    - the settings page was updated to prevent a user from editing their
      password and name if it is not supported by the current auth
      manager.

    - the dropdown menu present on all page was updated to hide the
      "logout" button if it is not supported by the current auth manager

- The `test_settings.py` test was updated to tolerate extra whitespace
@redimp redimp closed this as completed in 6c9ec31 Mar 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@redimp @weaversam8