-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for IdP AIuthentication [Do not merge yet - Feedback requested] #1465
base: main
Are you sure you want to change the base?
Conversation
Heya, thanks for this contributions, there are a lot of moving parts here, so a review will be a bit slow, but overall this looks pretty cool. I hope we can give this a spin soon. In the meantime, I have approved the PR tests to run on this. |
Awesome thx. The big question is user experience. Ideally (?) it would be a server side configuration, if there is a way without altering CouchDB. Or maybe it is ok like that? |
I might be missing something, but what changes in CouchDB would be needed? |
What would be nice is the ability to store the IdP information sever side. For this some URL where an unauthenticated http fetch request could read a json file with the IdP information. It would need to work even when you prevent unauthenticated access otherwise (require_valid_user=1) |
Does the file have to have any particular format or is this just to hardcode the URL, so we don’t have to have that field in Fauxton? |
any format will do my thought was a fixed URL (e.g. /_idp) that delivers some content. We need:
So 1-2 lines of plain text would do. Whatever is available. In case there is no option in current config, I can modify the code to first check an URL (in a future version of CouchDB) e.g. Another thought: as a stopgap measure: use What options do you see? |
I'm warming up to the idea of using http[s]//couchDBserver[:port]/[_idp|idp/fauxton] This would work (with the limitation of require_valid_user=0) on any existing server and with a future However it would require _idp to send JSON. Does that make sense / would that be a way forward? |
Overview
** Preliminary pull request - not ready for merge yet. To collect feedback. **
This PR adds support for OIDC / JWT authentication by adding a button to the login screen and a screen to login using IdP parameters.
The (WIP) IdP authentication screen looks like this:
Ideally I would read the parameters from the server, so the experience would be similar to Cloudant, some advice needed.
Changes
Testing recommendations
Open questions / feedback
GitHub issue number
Fixes #1457
Checklist