michael-conway
commented
3 years ago Let's look at that for the next set of features, we can perhaps use this as fodder for the auth working group.
Open peterverraedt opened 3 years ago
michael-conway
commented
3 years ago Let's look at that for the next set of features, we can perhaps use this as fodder for the auth working group.
The goal of this feature request is to allow external forms of authentication on a layer before metalnx, e.g. single sign-on, to avoid the need of providing user passwords and to allow custom login methods just as the irods interactive pam authentication initiative. The idea is that metalnx is put behind a reverse proxy, that provides the username of the current user as an http header, which should then be used for an automatic login session.
We see two alternative methods, of which the second is preferred as it would allow iticket logins:
The reverse proxy provides always a username as an http header, that is, a user session is always required before visiting metalnx. Metalnx should check this header, and create a session with the given username automatically. The logout button should work by ending the metalnx session, and should send the user afterwards to a configurable URL. If this would speed up things, it is accepted that metalnx also expects a password passed as second http header that can be used to authenticate against irods.
The reverse proxy, by default, does not provide a username, but metalnx allows to configure a login URL (and some logo) that is shown on the login page, that leads to a single-sign-on-page where the user can authenticate, and afterwards the user is redirected to a specific metalnx page (e.g. /external-auth-callback or just the login page) with the username and possibly an irods password passed as http headers. Once the username header is present on this callback page, metalnx should auto-login the user. The logout button should work as usual. This behaviour should mimic shibboleth's lazy sessions, but an implementation of openid/oauth is of course also accepted.
Being not a java coder, we have somehow implemented (2) by adding client-side javascript to the login page which submits the login form automatically under certain circumstances; but of course the authentication controller should be changed server-side.