search

grocy / grocy-docker

ERP beyond your fridge - now containerized - this is the docker repo of https://github.com/grocy/grocy
MIT License
418 stars 120 forks source link

Feature request: Proxy authentication by http header value #229

Closed max-tet closed 12 months ago

max-tet commented 12 months ago

When self-hosting multiple applications, you really want to have a single point for user management and authentication. It is annoying to login to each and every app seperately.

A pretty simple way to centralize authentication is achieved by deploying apps behind a reverse proxy, and use proxy auth. The proxy handles authentication in some way and sets http headers containing the username that was successfully logged-in. The apps read the headers and associate incoming requests to that user.

The perfect proxy auth feature for me would work like this:

  1. Start the app with additional environment variables:
  1. Configure the reverse proxy to authenticate incoming requests in any way you like.
  2. Let the reverse proxy set X-Authenticated-User to the authenticated username on every request.
  3. The app treats the requests as if they belong to the appropriate user session.
  4. Bonus: if the app does not know the username, it creates a new user with that name.

Other SSO methods like OIDC still require the user to login with each app, even it no credentials are required. It is still an additional step that is unneeded and hurting the user experience.

Here are some examples of apps that feature proxy authentication: FreshRSS, LinkDing, Navidrome.

Additional context: I am using the app for this product. Since this is a single-user platform, users really should see no login screen at all, not even for SSO.

berrnd commented 12 months ago

Grocy can already do this (personally can't help with anything Docker) - references:

https://github.com/grocy/grocy/blob/c9bc10820dddc6534d7a8d29c4f90a2eaef95f2b/config-dist.php#L83-L89

Since v3.0.0:

New feature: External authentication support

  • New config.php setting AUTH_CLASS to change the used authentication provider
  • Via LDAP
    • New config.php settings LDAP_DOMAIN, LDAP_ADDRESS and LDAP_BASE_DN
    • If you set AUTH_CLASS to Grocy\Middleware\LdapAuthMiddleware, users will be authenticated against your directory (and will also be created (in Grocy), if not already present)
  • Via a reverse proxy
    • New config.php setting REVERSE_PROXY_AUTH_HEADER
    • If you set AUTH_CLASS to Grocy\Middleware\ReverseProxyAuthMiddleware and your reverse proxy sends a username in the HTTP header REMOTE_USER (header name can be changed by the setting REVERSE_PROXY_AUTH_HEADER), the user is automatically authenticated (and will also be created (in Grocy), if not already present)

Since v3.2.0:

  • When using reverse proxy authentication (ReverseProxyAuthMiddleware), it's now also possible to pass the username in an environment variable instead of an HTTP header (new config.php option REVERSE_PROXY_AUTH_USE_ENV)
max-tet commented 12 months ago

Thanks for the hint, I did not find that in the docs. I see that you can even disable authentication altogether, which works even better for me!