Closed Jipok closed 3 months ago
This is what Jauth looks like in the browser:
https://github.com/astubenbord/paperless-mobile/assets/25588359/edddfb73-fb52-4a07-ae34-64f7a36f87b6
@astubenbord I have given you temporary access for testing to my paperless instance: https://p.ateam.undo.it You can login using your ssh keys: https://github.com/astubenbord.keys
this likely relates to https://github.com/astubenbord/paperless-mobile/issues/405 where a browser would be used for login, however in this case the cookie set by the auth proxy would need to be held onto
I'll also close this in favor of #374. Should be the same topic, right? If not, feel free to reopen.
@astubenbord
It seems that what @TheRealGramdalf ask you to do there is much more difficult to implement and maintain than what I or @PrzemekSkw ask.
If I understand correctly, the paperles server will provide a web interface for logging in via OpenID. In this case, the webview
approach can also help with this and you won't have to add and maintain additional functionality.
Description
There are various authorizing reverse proxies. For example: https://github.com/oauth2-proxy/oauth2-proxy https://github.com/Jipok/Jauth They take care of authentication, authorization, registration, etc. They are easy to support for the developer(server part) - all that is needed is to process the configured header(most often this is
Remote-User
orX-Forwarded-User
) where the username is specified. They are also convenient for the user, since there is no need to remember/store extra login/password pairs, provide a single entry point for their own services and increase security.And paperless-ngx support this: https://docs.paperless-ngx.com/configuration/#PAPERLESS_ENABLE_HTTP_REMOTE_USER
I ask to add support for this method to the application. I tried logging in through certificates and it’s even more inconvenient than login + password. And the method of transferring and storing the key raises doubts that it is more secure than a regular login + password.
To implement it, you need to show a web page(WebView) to the user when receiving 401 from the server , and after the server returns 200 (or another code, but not 401), then take all the session cookies and use them when interacting with the server.