search

sebadob / rauthy

OpenID Connect Single Sign-On Identity & Access Management
https://sebadob.github.io/rauthy/
Apache License 2.0
353 stars 20 forks source link

Upstream Auth with Discord; check if in guild? #618

Open IngwiePhoenix opened 1 week ago

IngwiePhoenix commented 1 week ago

Hello there!

I've been trying to find an IdP and OIDC system that works with Traefik's ForwardAuth - and this one here, seems to do so!

My use-case is a little special: I have a k3s cluster at home and I would like to enforce authorization on some routes - by plugging a ForwardAuth middleware into the IngressRoute - when they do not come from my local network. Since these services are only accessed by me or my friends, and we share a common Discord server, I would like to configure an upstream authentication that accepts Discord and verifies if the user is in the same guild as specified.

When claiming the guild of a user, the .../@me endpoint will return a list of joined guilds by their ID - so one can verify against that.

How could I use this in Rauthy to effectively:

Thanks and kind regards!

sebadob commented 1 week ago

Hey,

a little special, yes indeed. :)

What you try to achieve it not possible out of the box right now.

First question I have is, if you had success already configuring discord as an upstream and if you have a working login flow, because I never used or tested Discord in this combination.

Allow my friends to log in via Discord, ...as long as they are in a guild "whitelisted" in Rauthy

What Rauthy can do atm is to dynamically map an upstream user to the Rauthy admin role via a JSON path lookup. However, it does not provide this feature to "whitelist" users

I guess the /@me endpoint is the one you would use for /userinfo config in the UI, right? In this case, and if the flow with discord works when configured properly and it does not need some special handling (like Github does, unfortunately), adding an additional condition for JSON mapping could be possible.

So the important question is, if you can use Discord out of the box as an Upstream provider already without considering the whitelisting.

Consider requests from 192.168.1.0/24 to always be legitimate and not requiring authentication?

That is nothing Rauthy would do, but you can configure Traefik in such a way pretty easily.

If you configure 2 routes for your application, one with the additional condition that the source IP must match 192.168.1.0/24 and a second one with the inverse, you can apply the forward auth middleware to only the external IPs.