This repository contains a docker-based stackstorm setup that enables passing authorized usernames via HTTP headers instead of WSGI parameters.

Most Single Sign On frameworks I've seen use a header (e.g. X-Forwarded-User) to pass usernames to the backend, after the authentication and authorization procedures. The backend accepts this header and does what is needed to setup a session for this user.

The authentication backend from stackstorm does not accept these headers. When ran in proxy mode, it assumes that the application framework will send the username as a WSGI parameter to the application.

In the docker setup, st2auth runs behind gunicorn. Gunicorn only accepts HTTP connection and does not support custom transformations from header to parameters. So, to accept usernames through headers, some major modifications were needed.

Basically, we replace gunicorn with uwsgi and use nginx uwsgi support to transform the incoming header to a uwsgi parameter. Uwsgi is configured to run in master mode, with it's vassals living under /etc/uwsgi/vassals.

We provide two vassals: st2auth and auth_proxy. The first vassal is the gunicorn to uwsgi replacement and runs under a unix socket. The second is needed to allow the internal tooling to login. The internal stackstorm tools do not know how to cooperate with st2auth in proxy mode. For instance, st2 login <username> will always try to do a regular authentication request to localhost:9100. In proxy mode, however, st2auth will not accept these requests. To get around this issue, we created auth_proxy. This proxy accepts connection on localhost:9100 extracts the username and forwards this request to reverse proxy for dispatching.

The last problem we encountered was the default stackstorm webinterface. This interface assumes that the user provides a username and password, unless a session cookie is set (or more accurately, a session in the local browser storage). To circumvent this problem, we've added a static auth.html page. This page is loaded by nginx if no session cookie is found, instead of the default index page. This page loads the session details from the st2auth backend, prepares the local storage and cookies and, finally, reloads the page. Nginx detects that a session is active via the auth cookie and loads the normal index page, continuing the usual stackstorm flow.

To form a better understanding of how this all works together I advise you to read the Dockerfile and the (last few blocks of) st2.conf nginx configuration. These files give a broad overview of how this solution works!