PoC: Enable SSO by listning for http header: REMOTE_USER #632
Conversation
This allow all middlewares to query the database. For alternative authorizations that need to create and read the database.
|
This code have been working fine for us, this should fix #631 |
| log.Infof("User %s not in database, creating user", remoteUser) | ||
| newUser := model.User{ | ||
| Username: remoteUser, | ||
| Admin: false, |
There was a problem hiding this comment.
It would be nice to add a flag where you can specify the admin username.
There was a problem hiding this comment.
In a SSO context this would preferably be done on the IdP and provisioning entitlements so the app dont have to do it. That also works well when a user is no longer a admin.
The provided code is more a proof of concept that works in our setup, but I did have to do an bootstrap by starting the applikation and edit me to admin and then switching on SSO.
For a real use I think it would be better to listen to some value from the IdP than a set list of users that should be admins.
There was a problem hiding this comment.
Unfortunately, there is no protocol for transferring rights or anything else. Even remote-user is not something official, but just one of two popular options. Second is X-Forwarded-User.
I have my own authorizing proxy and I have tried many services. Usually, you just specify the admin for applications. This is a common approach.
This is a proof of concept that we currently are testing, but that I want to start a discussion about.
The code is not production ready, it is a starting point for a concrete discussion.
I have opened issue #631 with more information.
Regards
Björn