-
-
Notifications
You must be signed in to change notification settings - Fork 529
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PoC: Enable SSO by listning for http header: REMOTE_USER #632
base: master
Are you sure you want to change the base?
Conversation
This allow all middlewares to query the database. For alternative authorizations that need to create and read the database.
This code have been working fine for us, this should fix #631 |
log.Infof("User %s not in database, creating user", remoteUser) | ||
newUser := model.User{ | ||
Username: remoteUser, | ||
Admin: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to add a flag where you can specify the admin username.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In a SSO context this would preferably be done on the IdP and provisioning entitlements so the app dont have to do it. That also works well when a user is no longer a admin.
The provided code is more a proof of concept that works in our setup, but I did have to do an bootstrap by starting the applikation and edit me to admin and then switching on SSO.
For a real use I think it would be better to listen to some value from the IdP than a set list of users that should be admins.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, there is no protocol for transferring rights or anything else. Even remote-user is not something official, but just one of two popular options. Second is X-Forwarded-User.
I have my own authorizing proxy and I have tried many services. Usually, you just specify the admin for applications. This is a common approach.
This is a proof of concept that we currently are testing, but that I want to start a discussion about.
The code is not production ready, it is a starting point for a concrete discussion.
I have opened issue #631 with more information.
Regards
Björn