The big change here is to support an extremely limited form of HTTP basic auth, for those situations when you've got some subset of requests coming in which still need to be authenticated, but which aren't able to authenticate via Discourse SSO. The intended use case is for webhooks and other progammatic access methods. It is not intended to be a fully-featured HTTP auth method (it only supports a single hard-coded user/password pair), but instead an extremely simplistic "escape hatch". If you need more complicated HTTP authentication, you probably want to install nginx and do some crazy proxy chain games. Best of luck to you with that. To avoid getting in the way of the SSO flow, the HTTP authentication is done "blind"; that is, a `WWW-Authenticate` is never sent in a response. This may get up the nose of some user agents, however I can't see an easy way around this. Allowing the username header to be changed to something other than Discourse-User-Name is a smaller change, needed to support third-party software which looks for the authenticated username in a different header, and which can't be overridden without a hammer and chisel. |
||
---|---|---|
docker | ||
.gitignore | ||
README.md | ||
main.go | ||
main_unit_test.go |
README.md
Discourse Auth Proxy
This package allows you to use Discourse as an SSO endpoint for an arbitrary site.
Discourse SSO is invoked prior to serving the proxied site. This allows you to reuse Discourse Auth in a site that ships with no auth.
Usage:
Usage of ./discourse-auth-proxy:
-listen-url="": uri to listen on eg: localhost:2001. leave blank to set equal to proxy-url
-origin-url="": origin to proxy eg: http://localhost:2002
-proxy-url="": outer url of this host eg: http://secrets.example.com
-sso-secret="": SSO secret for origin
-sso-url="": SSO endpoint eg: http://discourse.forum.com
-allow-all: don't restrict access to "admin" users on the SSO endpoint
+--------+ proxy-url +---------+ listen-url +----------------------+
| User | ============> | Nginx | ==============> | discourse-auth-proxy |
+--------+ +---------+ +----------------------+
| |
| sso-url origin-url |
| |
v v
+-----------+ +----------------------+
| Discourse | | Protected web server |
+-----------+ +----------------------+
Note: you may use ENV vars as well to pass configuration EG:
ORIGIN_URL=http://somesite.com PROXY_URL=http://listen.com SSO_SECRET="somesecret" SSO_URL="http://somediscourse.com" ./discourse-auth-proxy
Docker Image
You may run using docker using
docker run samsaffron/discourse-auth-proxy
Running will display configuration instructions