New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update: proxy authentication #1241
base: develop
Are you sure you want to change the base?
Conversation
I made a quick pass to enable proxy auth (aka external-auth or forward-auth). The way this works is, once enabled, it'll listen to the specific headers in the the request and will try to find a user based on that, or create one on the fly. I made this as a first pass to gather feedback. Any comments appreciated. Related: semaphoreui#735
|
||
log.Debug(username + " does not exist yet, creating it") | ||
|
||
externalAuthUser := db.UserWithPwd{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I should probably check if this is the "first" user and give them .Admin
?
@@ -209,6 +218,20 @@ func validateConfig() { | |||
} | |||
} | |||
|
|||
func validateExternalAuth() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just thought of it now, but I think it should be "external auth" or LDAP or internal. Not on top of it.
So, on that note, it should probably "error" when LDAP is enabled as well. Haven't found a simple way to determine "internal auth" yet.
var authCookieName = "semaphore" | ||
|
||
func determineAuthType(r *http.Request) authType { | ||
if len(r.Header.Get("authorization")) > 0 && strings.Contains(r.Header.Get("authorization"), "bearer") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably needs a strings.ToLower()
as well.
Username: username, | ||
Created: time.Now(), | ||
Name: username, | ||
Email: username + "@example.org", // FIXME |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not entirely sure how to deal with that yet. Maybe have to read how LDAP works. But I guess there's also generally more data available from an external directory.
Currently using rundeck and would love to switch to semaphore as lightweight alternative. Rundeck allows to define in the configuration or via env variable (i.e. for docker) "preauth" settings. These define how the headers get's read for proxy auth. example of settings (env vars in this case) for rundeck behind authelia authentification:
the proxy then sends the following headers to rundeck set by the forward auth:
RUNDECK_PREAUTH_USERSYNC_ENABLED defines if an existing user is updated in case of the headers do not match the existing user. This is for changing any attribute including group/role. For semaphore I suggest the following extension of {
...
"proxy_auth": {
"user_header": "Remote-User",
"name_header": "Remote-Name",
"mail_header": "Remote-Email",
"role_header": "Remote-Groups",
"role_header_sep": ",",
"role_header_admin_group": "admin", // semaphore should search in the delimited list of `role_header` for this group
"sync": true // defines if already existing users get's updated
// should only support local and not ldap (so this `true` and ldap enabled should fail or silently not sync).
// But with "false" I see no reason to not use only the `Remote-User` as authenticated user and use ldap for reading the attributes.
"logout_url": "https://myauthserver/logout" // optional but nice feature
}
...
} |
Tried to play a bit around, but had the problem, that the @till Did you observe the same? I think any form of "pre-authentication" would first need to let the client side always call the backend to check for authentication and route based on the result not the pure existence of the cookie. |
I made a quick pass to enable proxy auth (aka external-auth or forward-auth).
The way this works is, once enabled, it'll listen to the specific headers in the the request and will try to find a user based on that, or create one on the fly.
I made this as a first pass to gather feedback. Any comments appreciated.
Related: #735