SSO Support?

Question

SSO Support?

alyx opened this issue 3 years ago · comments

Somewhat related to #2, maybe a different direction to think about.

Would it be worth integrating some form of SSO (e.g. OAuth2) in addition to/instead of direct registrations? Besides the obvious benefit of "allowing an easier way to integrate with an existing stack", could also solve the issue of limiting registration by just making who can register be a different platform's problem -- for generic SSO, would be reasonable enough to just assume anyone who's in the SSO system could access; for specific SSO options (e.g. GitHub), could have options for limiting to users who are members of certain orgs or whatnot.

Something like Passport.js could be used to accomplish most of this

Max Leiter · Answer 1 · Wed Mar 09 2022 12:03:34 GMT+0800 (China Standard Time)

Yeah, this is a great idea, just not something I intended to have finished in the near future. I haven't used passport but it seems fairly easy to figure out

Max Leiter · Answer 2 · Thu Mar 10 2022 07:07:16 GMT+0800 (China Standard Time)

@alyx in another project I contribute to we're moving forwards with implementing header auth, so SSO can be done at the reverse proxy level. Do you have any thoughts on this?

the PR is thelounge/thelounge#4447

alyx · Answer 3 · Thu Mar 10 2022 07:47:36 GMT+0800 (China Standard Time)

I think this seems like a pretty reasonable idea actually. Looks like it would save a lot of time on the developer-side of things since Drift wouldn't need to deal with the entire spectacle of integrating SSO and means admins could just play with their HTTPd configs to rig it how they'd like. I'd +1 this idea

Adyanth Hosavalike · Answer 4 · Tue Mar 29 2022 01:54:42 GMT+0800 (China Standard Time)

As long as the header is configurable, should be all good. A traefik+traefik-forward-auth can talk to any OIDC IdP and provide the username/mail in X-Forwarded-User

Max Leiter · Answer 5 · Tue Mar 29 2022 03:37:24 GMT+0800 (China Standard Time)

Are there any security considerations that need I need to make, or can I assume if a valid header is provided the user is authed/trusted?

Adyanth Hosavalike · Answer 6 · Tue Mar 29 2022 03:46:03 GMT+0800 (China Standard Time)

When implementing header only authorization, that burden lies on the reverse proxy. Application cannot distinguish it one way or another. You sure need to call that out as something to look out for in the docs.

Ex: Traefik copies the headers from the forwardAuth middleware overwriting anything that might have been present before.

Cloudflare guarantees that the Cf-Connecting-User is set for all requests proxied behind zero trust and to be non overridable.