search

sismics / reader

Free and open source feeds reader, including all major Google Reader features
https://www.sismics.com/reader/
GNU General Public License v2.0
399 stars 98 forks source link

Add external authenticators #118

Closed stephdl closed 8 years ago

stephdl commented 8 years ago

I have not found how to use external authenticator as LDAP or IMAP instead of the internal user management...I suppose that it is not implemented. On a server with openldap or imap server it will be a killer feature because you just have one user interface and the user is created automatically. I recall that tt-rss have a similar feature. Anyway you have done a great job

pacien commented 8 years ago

I would appreciate the ability to delegate the authentication to an external program as well. I use the reader behind an Nginx reverse proxy that could already properly handle such auth via a lot of standardized mechanisms (LDAP, PAM, .htaccess files, client certificates…).

jendib commented 8 years ago

So you mean some kind of pre-authentification handled by this reverse proxy, passing a special header to Reader saying "this guy is logged in"?

pacien commented 8 years ago

Exactly. I think that it would be the simplest way to offer various third party authentication mechanisms, if it is not already implemented.

A way to create new users with this method would however have to be found.

jendib commented 8 years ago

I'm not a fan of creating users automatically. Imagine you have a LDAP with many users, but want only a handful to access Reader. I think the best way would be to create users manually beforehand, that way users will still be able to login using the old login/password way.

pacien commented 8 years ago

I imagine that users that can access the application could be restricted by their LDAP group at the authenticator/access controller level. But I agree that the authenticator should stick to its authentication-only role.

In any case, this header should only be taken into account if coming from a trusted origin.

jendib commented 8 years ago

If Reader is behind a proxy it's not an issue. The header will be overwritten by the proxy (X-Authenticated-User for example).

Most of the work should be done here, instead of only using the cookie for a authentication token, the authentication header should be read too (if external auth is enabled).

pacien commented 8 years ago

Maybe should this be implemented in another independent filter, that would be loaded in upstream. I can work on this if pull requests are welcome.

jendib commented 8 years ago

Of course they are :)