Comments (8)
What are your current OAuth or SSO solution in your company? Is it possible that you implement your own login page with any ID providers you have, and just store the final access token as subdomain.your_company.com
cookie?
At the beginning I was thinking of implementing a full-fledged OAuth2 flow, for example, leveraging https://github.com/markbates/goth and we can cover some major social login cases. I'm not 100% sure, but it needs flagr to be exposed publicly so that the external ID providers can send a POST callback. I didn't prioritize this approach because I want flagr to be 100% private within our cluster.
And moreover, it turns out that people usually have their own login flow, and we can just piggyback on it and just validate the access token.
That said, if any of you want to bring in OAuth, I'd be happy to help and review the PRs.
The steps I can think of as now:
- Set
Config.JWTAuthNoTokenRedirectURL=/auth
to be a local relative pathGET /auth
instead of redirecting to other website or pages. - Set
Config.JWTAuthPrefixWhitelistPaths
to include/auth
so that we don't validate access token for/auth
related paths. - Serve
GET /auth
with a static html page, with login buttons (e.g. Google, Github, and etc.). Buttons point toGET /auth/{provider}
- Serve
GET /auth/{provider}/
,POST /auth/{provider}/callback
, andGET /auth/logout/{provider}
with goth. For example, https://github.com/markbates/goth/blob/master/examples/main.go#L188-L218 - Set corresponding env variables for client_key and client_secret
- Expose flagr to the public so that Google or Github can send the callback to.
from flagr.
Definitely open to it. We have HS256 and RS256 now, and it should be straightforward to add more JWT validations.
https://github.com/checkr/flagr/blob/master/pkg/config/middleware.go#L122-L132
from flagr.
Stale issue message
from flagr.
I'd be interesting in helping work on this. I have a situation where I'd like to be able to auth against a Google login. Do we have any sense as to what would be necessary to make this happen?
from flagr.
I added the OAuth by putting flagr behind a reverse proxy and using vouch for authentication.
This is not an out of the box solution but it works really good.
from flagr.
Interesting!
@zhouzhuojie thanks for the details.
I agree about keeping the application private within the cluster, that is how we have things set up right now as well. I was talking to some folks about how we want to handle auth and it sounds like we are moving towards using Google's Cloud Identity-Aware Proxy. I don't know a whole lot about it at this point, but I see that it can provide JWT tokens via signed headers with the ES256 algorithm. At this point the question from me would be are you open to a PR at some point that could expand the JWT handling in Flagr?
from flagr.
Hey all! I'm trying to setup flagr behind a OAuth2Proxy to be authenticated with google. Latest versions allow to proxy pass the Authorization
header using the id_token
that Google provides, it's a JWT token with the ES256 algorithm as @crberube said.
But from here I'm not sure how to proceed with flagr, as it's not properly authorizing resquests with those authorization headers.
We want to setup this for the audit_logs so we properly audit each interaction within flagr.
Thanks in advance.
from flagr.
You can also enable the basic auth.
For the GUI, you will be prompted to enter your user name and password.
For the API, you will need pass header
Authentication: Basic base64decode(username:password)
from flagr.
Related Issues (20)
- [feat] more detailed search options HOT 3
- attempt to write a readonly database"
- "attempt to write a readonly database" in ghcr.io/openflagr/flagr container HOT 3
- Terraform module HOT 4
- Support additional non sql database HOT 2
- Flagr post endpoints does not work well with concurrent requests HOT 3
- Upgrade to 1.1.14 fails with: listen tcp 0.0.0.0:80: bind: permission denied HOT 6
- Feature request: Add option for "exactMatch" in batch evaluation HOT 1
- Flagr UI: unquoted string constraints with / as the first character do not get caught by parsing error "tok=ILLEGAL" HOT 1
- Calls to Flagr:: EvaluationApi#post_evaluation with an empty body take an inordinate time to resolve HOT 2
- Question: Any Plans to support the Cloud Native Foundation's Open Feature standard? HOT 1
- Unable to pull from ghcr.io/openflagr/flagr
- Any plan to support OR conditions? HOT 1
- How to use AD Authentication and authorization HOT 1
- Push and pull flag changes HOT 2
- Provide a way to disable UI HOT 1
- Unable to Build Docker Image on AMD64 platform HOT 1
- Enhance Flagr Search Capabilities and separate new flag creation HOT 1
- Vue JS 2 is end-of-life HOT 1
- Flags returned by FindFlags include soft-deleted segments and constraints since 1.1.17
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flagr.