Closed stephdl closed 8 years ago
I would appreciate the ability to delegate the authentication to an external program as well. I use the reader behind an Nginx reverse proxy that could already properly handle such auth via a lot of standardized mechanisms (LDAP, PAM, .htaccess files, client certificates…).
So you mean some kind of pre-authentification handled by this reverse proxy, passing a special header to Reader saying "this guy is logged in"?
Exactly. I think that it would be the simplest way to offer various third party authentication mechanisms, if it is not already implemented.
A way to create new users with this method would however have to be found.
I'm not a fan of creating users automatically. Imagine you have a LDAP with many users, but want only a handful to access Reader. I think the best way would be to create users manually beforehand, that way users will still be able to login using the old login/password way.
I imagine that users that can access the application could be restricted by their LDAP group at the authenticator/access controller level. But I agree that the authenticator should stick to its authentication-only role.
In any case, this header should only be taken into account if coming from a trusted origin.
If Reader is behind a proxy it's not an issue. The header will be overwritten by the proxy (X-Authenticated-User for example).
Most of the work should be done here, instead of only using the cookie for a authentication token, the authentication header should be read too (if external auth is enabled).
Maybe should this be implemented in another independent filter, that would be loaded in upstream. I can work on this if pull requests are welcome.
Of course they are :)
I have not found how to use external authenticator as LDAP or IMAP instead of the internal user management...I suppose that it is not implemented. On a server with openldap or imap server it will be a killer feature because you just have one user interface and the user is created automatically. I recall that tt-rss have a similar feature. Anyway you have done a great job