Adding Reverse Proxy Authentication #88
Conversation
|
since i cannot really test this setup, have you tested this (i.e. by accessing several different pages, creating recipes, keywords, comments, etc.) ? Since this is optional for a user to implement its ok if things dont work but i feel like there might be a little to many things that break with this. Since you plan on using this anyway maybe you can just run your setup for a few days/weeks and then give feedback on how well it works and maybe we can add that to the documentation as well ? |
|
I've been using this set up for about two months, doing most of all the things you've mentioned, except for adding comments, but had been pushing my own build to Dockerhub that just replaced the two files that needed changes. Django is really quite convenient in that it allows you to just slot in the user via the proxy header rather than via a login page. Technically, it doesn't require the supplied user to exist, but since I'm limiting the number of people that have access to this domain, I just add those (via the Django Admin page) ahead of time. I'm happy to keep testing it out this way for a while, but I would like to vouch for the fact that it has worked over the last few months without any issues! |
|
No if you have already been using it for this long we can definitely integrate it. Just out of curiosity because i find this fascinating: When you create a recipe with your setup how is the Sry for all the questions, if find this whole setup very technically interesting and also if i understand it better i might improve some features to work better on "userless" setups (e.g. showing a proper name/label for users without objects). |
|
Not a problem; I totally understand the questions! This recipe was made with a user logged in via the proxy: The proxy supplied the username
For the sake of being thorough, though, when logging in as a user that exists in the SSO, but not recipes, Django automatically creates that user in the users database, but does not assign that user a group. (Sorry for all the inline screenshots...)
This
Per the Django documentation, any user logged in via the proxy header inherits all the same permissions details as a regular user, but as they are not automatically assigned a group (even the For me, personally, that works. As of now I'm creating a user in my authentication database, and specifically assigning them access to the services I want them to access. Therefore if they are supposed to have access to the recipes, I specifically create a user for them. Plus, it appears to me that, as it inherits the properties of the |
|
I did, however, push another commit because I apparently deleted that |
|
ok, thank you very much for all the detailed information on how this feature works. I will merge this with the next release. I will probably change it so that there is a environment variable which adds the auth setting but other than that i think its fine. |
See #81.
This Pull Request will allow you to log in to recipes by looking for a matching request header. If there is no matching header, Django automatically falls back to using the built-in/standard User/Password login functionality of
django.contrib.auth.backends.ModelBackend(i.e., what is currently used.)If the user does not exist in recipes, but does have access granted via the authentication server, Django silently lets the user access the site, but will not create that user in the database:
I tried to add some documentation/deployment details as well, but, given this also requires a functioning authentication server, which could have lots of different implementations, it's rather sparse. I'm happy to expand upon that, though, if needed.
Let me know if there any issues!