-
-
Notifications
You must be signed in to change notification settings - Fork 589
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to disable authentication #433
Comments
Hey, just disabling auth isn't enough because gotify needs to know which user should be used. Sure, it should be possible to add a setting like preauthenticed_user to the config, which auto logs on an existing user, but this feels a little hacky. Generally I'm open to natively support another auth system, but as you say it's hard to choose (:. |
Ok, I've spent slightly more than 2 minutes playing around with Gotify now. 😅 When I wrote the above I didn't realize there were multiple users, that does complicate things. Proxies that do authentication will usually set a Header like The security of this depends heavily on (1) the proxy overwriting any incoming values on the request for the Header being used to store the user, to prevent spoofing, and (2) that the communication between proxy and app server is secure, either via HTTPS or a private network. In a Docker environment with a good modern reverse proxy like Caddy, Traefik, HAProxy, etc, this is the case. This can be a really easy way to support the bring-your-own-auth model @jmattheis , if that's what you're looking for, to keep Gotify simple. People will no doubt still ask for native OIDC, LDAP, SAML support though, so it really comes down to philosophically whether you think that complexity should be added natively, or not. I don't expect a solution here anytime soon, so I'll consider this issue resolved and stick with the native auth for now, live without SSO. Feel free to close this if you see fit. |
Any plans to implement this? Would be very useful |
Have you read the documentation?
You are setting up gotify in
Describe your problem
Related to #203, #20.
I've noticed that authentication seems to be a hot topic for self-hostable services, like this one. There are many different standards people want supported (OIDC, SAML, AD, LDAP), all of which can be difficult to implement correctly and support. Libraries similar to passport.js can help, but generally have a learning curve to integrating them.
Looking through the Issues, another mode I have not seen suggested yet is to simply allow disabling of Authentication entirely. This has the benefits of:
Given the reluctance on #20. and the ongoing discussion about an Auth plugin system, this seemed worth mentioning. I've seen projects avoid Auth plugins and ONLY offer built-in Auth or none, I've also seen projects that offer support for every method under the sun. Just depends on what the devs feel comfortable supporting.
I think most folks would like to see support for an SSO strategy, whatever that is. I personally use OIDC, but mostly via Auth proxies since not a lot of projects have native OIDC support, which I think is fair.
The text was updated successfully, but these errors were encountered: