-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Header-based authentication (e.g. REMOTE_USER) #3243
Comments
👋 Thank you for opening your first issue. I'm just an automated bot that's here to help you get the information you need quicker, so please ignore this message if it doesn't apply to your issue. |
I've not actually heard of this authentication previously. Is there any documentation or examples? |
@jcmcken I'd quite like to see this in Cachet as it would solve other issues. I'm still unsure how to implement this and how to test it, having not used this before. |
I'm not super familiar with PHP tooling, but I've done this extensively for Python web apps. In Python, there's typically an auth middleware somewhere in the stack that looks at a particular environment variable and trusts its value as the logged in user. In pseudocode:
Implementation-wise, there would be a frontend web server that
I've used Apache and haproxy to do this in the past (there are several modules that perform 1 and 2 for you, then you just need to set some reverse proxy configs for your virtual host) but I believe other web servers have this capability too. As far as unit-tests go, if your web framework allows you to mock out the request environment, that's one way to test. For smoke-testing a live instance, you can use Apache and probably set the environment statically (e.g. set |
@jcmcken oh! That sounds much easier than I thought it would be. So basically, if |
@jbrooksuk Yep, that's all it is. You trust whatever the auth proxy gives you for a username. If no username is passed, the auth proxy failed to auth and you can deny login |
Hi @jbrooksuk Is this available in 2.4? Can I enable remote user authentication with a configuration option/env variable? |
Are there plans to support fronting Cachet with an authenticating web proxy? For example, a frontend web proxy authenticates the user, and passes the authenticated user name to Cachet via an HTTP header or environment variable, which Cachet can then trust implicitly.
This type of configuration allows users to use arbitrary authentication methods (including LDAP, CAS, SAML, OAuth, OIDC, etc.) without needing to add this functionality directly into Cachet's code base.
This possibility was mentioned in a few other issues that I saw, but it didn't look like it was addressed. Our team uses this pattern with a lot of applications that don't natively support things like OAuth and SAML authentication
The text was updated successfully, but these errors were encountered: