Comments (7)
Hi @Arno500 , thank you for your suggestion! I didn't implement something like this, because there is not the standard SSO way. In my experience there are often small special cases. I'm not sure, if I understand your use-case. Is there still a username/password pair provided by the user? If so, one could use the external auth mechanism and write a shell script that does the authentication. There has been an example somewhere where it was used to authenticate against an LDAP directory. Would that maybe work for you?
Otherwise, if I knew better what is needed, I'm happy to implement it.
from sharry.
I've not been very precise, sorry ;)
I need OpenID Connect or SAML 2.0 if you prefer (but it seems harder to implement)... Otherwise, we use an ActiveDirectory service (LDAP-compatible), but this web app may not be hosted on the same machine for security reasons and we need to develop a small and accessible webapp to do the auth, thus reducing the security. We can use the script solution, but it's not really clean, and as the LDAP server is not on the same server (both are isolated for maximum security as Sharry concerns clients and collaborators, and AD concerns exclusively collaborators)... Also, a SSO service (Trustelem) supporting these two standards is currently being deployed in the company.
from sharry.
If there is a webapp to be developed, it could also just do the auth given the username/password pair. This is already supported via external.http auth. But I guess, this also wouldn't work for you….
I'm interested in adding support for OpenID Connect, but I'm not familiar with it :/. I quickly had a look at the OpenID Connect Spec and it is quite big :) (at least compared to the old openid spec, which was really small and simple) I probably need to delegate this to some library I have to find. Or do you think there is a ~80% case I could start with that is simple to implement (you mentioned some token exchange that didn't sound so hard at first sight)?
from sharry.
Yes the webapp is a simple solution, but not the best that could be implemented from a security standpoint, easyness and user friendliness...
OpenID is the new de facto standards for auth, and SAML2 is getting old, so OID should be the most compatible (Facebook, Google, GitHub, etc... are all supporting it)...
For OpenID, it looks quite complicated, but you need only one face of it: the "Authorization code" flow. This is what I told you earlier, with the token exchange.
I found one library for it: https://github.com/chaabaj/openid-scala, the only problem being that providers are hardcoded inside the library, for user facility. The best would be to juste set the auth mode to OpenID in Sharry's config, and include the endpoint URL (the URL containing informations about how to redirect the user), the client ID (the login of the app against the service) and the Client secret (app's password).
Then, the app needs to be compatible with HTTPS for backend check after the user authenticated. Finally, Sharry can get some informations about the user (I think it only needs its name).
Thank you very much for your fast and useful help !
from sharry.
You're welcome! But right now you are rather helping me :-) Thank you for your explanation and I like the fact that only the "authorization code" flow is needed.
I think the problem is that sharry is not really prepared for redirects in its auth subsystem. I have to add an endpoint that handles the redirect request from the authentication provider (as far as I understand?). Then I'm thinking about whether the login page makes any sense if it is configured for openid.So it is more work than I hoped…. I really like to add this, but unfortunately I'm quite low on spare time right now. I plan to add a new chunk of work after summer. I'msorry if that is too late or anything….
from sharry.
OpenID can't login from provided infos like username and pass in the URL. You needs to authenticate on THE service containing or connecting user databases. Therefore, a login page before OpenID doesn't makes sense and would not work.
In the algorithm form, it's a bit like :
IF OpenID is set as auth provider, THEN bypass the login page and redirect to the auth provider.
After the user connects, it gets redirected to a URL endpoint you provided.
Only now, check the token given in the URL (based on your already existing Web Auth) against the server. Finally, if it corresponds, the server should send you the requested data (here only the user name is needed, maybe using the email adress if it doesn't exists)
Here it is !
You can work on it whenever you have time (and wants to take it) !
from sharry.
I know, it's been a while :-); I think this is now realized in current release.
from sharry.
Related Issues (20)
- [Feature Request] Allow anonymous uploads to shares. HOT 1
- [FR] Allow expiration and deletion of unpublished shares HOT 4
- Responses contain `Content-Length` header and `Transfer-Encoding:chunked` headers HOT 21
- Allow to change schema when using postgresql
- s3 auth does not seem to support node / service account roles - access key and secret required HOT 3
- Problems with using Keycloak as OAuth provider HOT 6
- Azure AD Authentication doesn't work with java.net.ConnectException: Connection timed out HOT 6
- CORS blocked when uploading a file using Caddy reverse proxy. HOT 5
- nix: build sharry from source
- Error message : 106% percent over 100 HOT 6
- mp4 files are not playing in browser HOT 10
- Add ability to create admin accounts with all auth modules HOT 2
- Broken Nix installation guide HOT 1
- Sign-in with oauth (via Google) creates accounts even if signup is set to "invite" or "closed" HOT 4
- Site breaks in Chrome/Edge when `require-trusted-types-for` is enabled in CSP header HOT 3
- Shares disappearing after reboot HOT 2
- mp4 files are not playing in browser - maybe related to #1328 HOT 1
- Disable new user signup HOT 2
- Unraid support HOT 1
- Possible to set longer expirations HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sharry.