I thought it might be best to continue #55 with a clean slate. We can focus on rauthy here and if it goes well, it can become a general solution for all OIDC providers which support forward authentication. If not, we can close them both and call it a day 😆
I've been chatting with @cblgh about this and I've come up with a test harness. It's sadly been a bit complicated but I believe I have a reproducible environment for testing it easily. Check it out: https://git.coopcloud.tech/decentral1se/cerca-rauthy-pmc-thunderdome
If I patch ./cerca/server/server.go with the following
➜ cerca main ✗ g s
## main...origin/main
M server/server.go
➜ cerca main ✗ g d
diff --git server/server.go server/server.go
index fda9114..a02e038 100644
--- server/server.go
+++ server/server.go
@@ -392,6 +392,15 @@ func (h RequestHandler) ErrorRoute(res http.ResponseWriter, req *http.Request, s
}
func (h RequestHandler) IndexRoute(res http.ResponseWriter, req *http.Request) {
+ fmt.Println("--- CERCA x RAUTHY HEADERS DUMP ---")
+ fmt.Println("USER: ", req.Header.Get("X-Forwarded-User"))
+ fmt.Println("USER ROLES: ", req.Header.Get("X-Forwarded-User-Roles"))
+ fmt.Println("USER GROUPS: ", req.Header.Get("X-Forwarded-User-Groups"))
+ fmt.Println("USER EMAIL: ", req.Header.Get("X-Forwarded-User-Email"))
+ fmt.Println("USER FAMILY NAME: ", req.Header.Get("X-Forwarded-User-Family-Name"))
+ fmt.Println("USER GIVEN NAME: ", req.Header.Get("X-Forwarded-User-Given-Name"))
+ fmt.Println("--- END DUMP ---")
+
ed := eout.Describe("IndexRoute")
var err error
// handle 404
I end up with something as follows:
cerca-1 | --- CERCA x RAUTHY HEADERS DUMP ---
cerca-1 | USER: mRKDCDyHIEPMnyrwfRP0rhLX
cerca-1 | USER ROLES: rauthy_admin,admin
cerca-1 | USER GROUPS: admin
cerca-1 | USER EMAIL: admin@localhost
cerca-1 | USER FAMILY NAME: Admin
cerca-1 | USER GIVEN NAME: Rauthy
cerca-1 | --- END DUMP ---
It would seem that getting the preferred_username out of rauthy is somewhat problematic but I have raised an issue: sebadob/rauthy#1534. We could simply choose to re-use the Given name as the username. The current user ID rauthy gives is just an opaque string 🤷♀️ Let's assume we have a username for now 😛
@cblgh do you wanna take a look at the setup / consider the incoming headers and we can start to look at the questions you raised the last time we chatted? We should hopefully be in a better position to answer them now that we have some running code 🧗♀️
I thought it might be best to continue #55 with a clean slate. We can focus on rauthy here and if it goes well, it can become a general solution for all OIDC providers which support forward authentication. If not, we can close them both and call it a day 😆
I've been chatting with @cblgh about this and I've come up with a test harness. It's sadly been a bit complicated but I believe I have a reproducible environment for testing it easily. Check it out: https://git.coopcloud.tech/decentral1se/cerca-rauthy-pmc-thunderdome
If I patch
./cerca/server/server.gowith the followingI end up with something as follows:
It would seem that getting the
preferred_usernameout ofrauthyis somewhat problematic but I have raised an issue: sebadob/rauthy#1534. We could simply choose to re-use theGiven nameas the username. The current user ID rauthy gives is just an opaque string 🤷♀️ Let's assume we have a username for now 😛@cblgh do you wanna take a look at the setup / consider the incoming headers and we can start to look at the questions you raised the last time we chatted? We should hopefully be in a better position to answer them now that we have some running code 🧗♀️