search

itzg / saml-auth-proxy

Provides a SAML SP authentication proxy for backend web services
MIT License
63 stars 18 forks source link

Feature Proposal: Support anonymous access to the backend #60

Closed kyori19 closed 1 year ago

kyori19 commented 1 year ago

Background

I want to log in to Grafana using SAML while allowing anonymous access to the public dashboard. Here is the example configuration of such situation.

[auth.anonymous]
enabled = true
org_name = Public Org.
org_role = Viewer

[auth.proxy]
enabled = true

Current Situation

Currently, saml-auth-proxy always initiates SAML auth flow. It forces all users to sign in though Grafana allows anonymous access.

That behaviour is caused by use of RequireAccount in proxy server.

https://github.com/itzg/saml-auth-proxy/blob/6745b242d2df11540dbe1b8e528f9f6d5caaf322/server/server.go#L106

Proposal

saml-auth-proxy should support anonymous access to the backend app.

I made some prototype which works for my usecase. Changes can be found on the commit: https://github.com/kyori19/saml-auth-proxy/commit/6642f8ad0f2b9f32761a35fcc922a49f09faa441.

In my implementation, almost all requests from users will be proxied to the backend without initiating/requiring SAML auth. However, when the user accesses to the login path /login, saml-auth-proxy initiates SAML auth flow and user can log in to the service. The login path /login will be accessed when the user clicks "Sign In" button on Grafana dashboard.

Problem

As my implementation is just a prototype and heavily adopted on my usecase, it has some problems.

itzg commented 1 year ago

Very interesting scenario.

Do you know, if an anonymous user happens to directly access a non-anonymous dashboard will Grafana enforce sending them through the login flow?

kyori19 commented 1 year ago

Yes, of course. It will be handled by regular Grafana authorization flow and correctly protected.

itzg commented 1 year ago

In that case, I definitely like the overall strategy you took in your changes. It would be great if you could PR a variation that will be minimally configuration driven. Perhaps via a new option called like "initiate auth session paths" that would take "/login" for your scenario.

kyori19 commented 1 year ago

sorry for late response. then I will write PR after adding configuration flag. before doing implementation, let me ask you about naming of it.

how about naming that flag -initiate-session-path string? when -initiate-session-path is not given (empty string), all paths will initiate SAML auth flow (will keep backward compatibility). if -initiate-session-path /login is given, all paths other than /login will be bypassed and only when user accessed to /login it will initiate SAML auth flow.

in this implementation, when we want to support multiple initiate paths, we can safely turn it into array of string.

itzg commented 1 year ago

That name sounds good. Thanks.

itzg commented 1 year ago

This is now included in https://github.com/itzg/saml-auth-proxy/releases/tag/1.12.0