Open japrogramer opened 4 years ago
sounds interesting, would welcome a pr to see something like this
Hi, I would love to resolve this issue in Hacktoberfest. I really appreciate if someone in charge of this project could elaborate the workflow/requirement of this issue? Thanks a lot!!
P/S: If it's possible, I hope to be assigned to this issue.
cc: @wodka
Hi @lantrungseo :) that would be awesome!
right now I see 3 ways to add the authentication part:
Option 1) Oauth2 Option 2) SAML Option 3) Webhook
For us right now the easiest way would be to go with option 3) So within the AuthService (https://github.com/ohmyform/api/blob/master/src/service/auth/auth.service.ts) to call a webhook AUTH_WEBHOOK
and based on the result create / authenticate the user.
The result for this should contain at least the following:
{
"roles": ["user", "admin", "superuser"], // https://github.com/ohmyform/api/blob/master/doc/roles.md
"username": "something"
}
Further: the moment AUTH_WEBHOOK
is defined the register and reset password calls should be disabled!
and the second part would be to create a new mutation endpoint to create users with a role similar to the registration (role limited to the auth of the current user)
I think that Oauth2 would be the best option long term because it also handles authentication thru an existing app.
yes, but at the same time oauth is a bit different for every implementation.
Any updates for Saml2?
Since this is primarily used by docker, I wonder if it would be easier to support having ohmyform support trusting some HTTP header like X-Forwarded-User
for providing the authentication.
It would allow someone to use Traefik along with one of the authentication middleware like forwardauth. There are several authentication implementations that allow ouauth, saml and so on that is compatible with the Traefik forwardauth.
I am able to use Traefik + traefik-forward-auth as my source of authentication for many other things.
I like the simplicity of https://doc.traefik.io/traefik/v2.4/middlewares/forwardauth/ and was about to propose https://github.com/oauth2-proxy/oauth2-proxy/, too. It similarily supports to pass authentication headers (in multiple ways).
If not about OAuth2, more precicely we could be talking about implementing OIDC, instead.
SAML2 looks interesting for SSO environments, where you want to be able to centrally log out users.
I also like the idea with X-Forwarded-User - curious on how to best do this. As it would mean that we need to disable all in app authentication and fully rely on the header to indicate the information. Or always then reporting the authenticated flag for the graphql endpoint.
Tricky thing I'm thinking of right now is that the "public" endpoint should then have a different router in traefik to not have the header added.
Supporting X-Forwarded-User seems like an easy step to 'indirectly' support basically any authentication mechanism. At least easier than native OAuth2+OpenId Connect and SAML2 support.
From my understanding of usage of nginx with oauth2-proxy it shouldn't be any issue to route a dedicated path (public) to skip the auth-proxy. Could you elaborate a bit @wodka where you saw an issue with this?
One thing that I think could be important is that this perhaps requires that user accounts are automatically created/updated when an authenticated request comes in.
I would like to be able to call my own app for authentication,
freshly created environment following this steps https://ohmyform.com/docs/install/
I want it to be possible to create users who are admin role through an api call to my app