An http proxy that uses the DiscourseConnect protocol to authenticate users
Go to file
Matt Palmer febc3e4fe3 Support HTTP basic auth, allow username header name to be overridden
The big change here is to support an extremely limited form of HTTP basic
auth, for those situations when you've got some subset of requests coming in
which still need to be authenticated, but which aren't able to authenticate
via Discourse SSO.  The intended use case is for webhooks and other
progammatic access methods.  It is not intended to be a fully-featured HTTP
auth method (it only supports a single hard-coded user/password pair), but
instead an extremely simplistic "escape hatch".

If you need more complicated HTTP authentication, you probably want to
install nginx and do some crazy proxy chain games.  Best of luck to you with
that.

To avoid getting in the way of the SSO flow, the HTTP authentication is done
"blind"; that is, a `WWW-Authenticate` is never sent in a response.  This
may get up the nose of some user agents, however I can't see an easy way
around this.

Allowing the username header to be changed to something other than
Discourse-User-Name is a smaller change, needed to support third-party
software which looks for the authenticated username in a different header,
and which can't be overridden without a hammer and chisel.
2017-09-28 11:09:18 +10:00
docker correct demo 2015-04-15 15:10:58 +10:00
.gitignore Initial commit 2015-04-15 13:18:18 +10:00
README.md Invert admin restriction UX 2017-06-07 19:49:18 +02:00
main.go Support HTTP basic auth, allow username header name to be overridden 2017-09-28 11:09:18 +10:00
main_unit_test.go Initial commit 2015-04-15 13:18:18 +10:00

README.md

Discourse Auth Proxy

This package allows you to use Discourse as an SSO endpoint for an arbitrary site.

Discourse SSO is invoked prior to serving the proxied site. This allows you to reuse Discourse Auth in a site that ships with no auth.

Usage:

Usage of ./discourse-auth-proxy:
  -listen-url="": uri to listen on eg: localhost:2001. leave blank to set equal to proxy-url
  -origin-url="": origin to proxy eg: http://localhost:2002
  -proxy-url="": outer url of this host eg: http://secrets.example.com
  -sso-secret="": SSO secret for origin
  -sso-url="": SSO endpoint eg: http://discourse.forum.com
  -allow-all: don't restrict access to "admin" users on the SSO endpoint

  +--------+    proxy-url   +---------+    listen-url    +----------------------+
  |  User  |  ============> |  Nginx  |  ==============> | discourse-auth-proxy |
  +--------+                +---------+                  +----------------------+
      |                                                             |
      | sso-url                                          origin-url |
      |                                                             |
      v                                                             v
  +-----------+                                          +----------------------+
  | Discourse |                                          | Protected web server |
  +-----------+                                          +----------------------+

Note: you may use ENV vars as well to pass configuration EG:

ORIGIN_URL=http://somesite.com PROXY_URL=http://listen.com SSO_SECRET="somesecret" SSO_URL="http://somediscourse.com" ./discourse-auth-proxy

Docker Image

You may run using docker using

docker run samsaffron/discourse-auth-proxy

Running will display configuration instructions