-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication using http header #4026
Comments
Nice idea, seems like an easy middle ground between building out a very complex flow in the application and not having anything. Do you have any good examples I could look at in terms of setting up something very basic to test against if this was built out? Like a specific service you like to use or some local setup that is sufficient for testing without too much additional overhead? |
I simply used a browser plugin which allows changing the header values for testing (e.g. this one). Should be pretty straight forward :) |
Gotcha, I'll look into a few of them and make sure there is a decently common approach to them. I bet there are some packages that exist already to handle this I could use. |
Just for reference: oauth2-proxy is a tool which "translates" proxy authentication into oatuh2 and could be used in conjunction with this feature. |
I personally really like the idea of using the Remote-User header for authentication, as it makes it much easier to integrate with pre-made, or home-brewed authentication schemes. It also in theory, shouldn't be a massive implementation task. This method is commonly called Forward Auth, where your reverse proxy uses another API to verify authentication, and then rewrites headers so the backend can know the user. Both Authelia (https://www.authelia.com/docs/home/architecture.html) and Authentik (https://goauthentik.io/docs/providers/proxy/forward_auth), top open-source SSO providers, implement Forward Auth support. Some large applications that support it which come to mind are Netbox and Home-Assistant. |
If I implemented this would this fall under a reject due to the contributing policy? "Pterodactyl does not accept Pull Requests (PRs) for new functionality from users that are not currently part of the core project team." Don't want it to meet the same fate as OAuth |
This comment was marked as spam.
This comment was marked as spam.
@hamptonmoore yes, most likely. I'm not prepared to think about this too might right now or look at a PR for it. |
Hi ! Is there any progress about that ? |
I would personally second the idea of being able to use HTTP Headers, it would be a perfect middle between ldap, oauth, saml and so on. It would be easier for server hosts but also for some servers (rare ones) which have setup some SSO for their Git, Forum, Website, Issue tracker. That's the case of the server I'm sysadmin-ing and Pterodactyl is the only thing without linked accoung :/ LDAP, SAML, OpenID are more difficult to setup than HTTP Headers, both on Pterodactyl code and on SSO side. I think its the perfect way to go to allow some SSO features, which seems highly requested since some times. |
I also concur, this is the only thing that is missing for me. |
Me too. This is actually something I miss a lot. |
This comment was marked as spam.
This comment was marked as spam.
Is there any update on this? Maybe an ETA or some plans for the roadmap? |
|
Just wanted to show interest in this also. This would slot in very nicely for those using Authentik. |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
+1 |
Personally, i'm selfhosting many public facing services which my family or friends use. Pterodactyl is one of many, and a http header auth implementation would help me unify all logins at a central location like Authentik. Sadly, i still can't see this on the roadmap. Can anybody give an update on this issue? |
This has been a proposal for 4 years now I know it has been worked on an sso login for Google and other sso`s. I think that was published as a "addon" but no longer maintained. |
This comment was marked as spam.
This comment was marked as spam.
This is me. I provide loads of services to friends and family using Authentik as the auth and ID server. Basically anything that doesn't support some form of SSO I've delayed providing because it's just a headache. I feel like these last 12 months most services have really pushed to get some form of SSO implemented, seems like the big thing now haha. This would be amazing to see and would complete and round out what is an awesome service. It's features like this that skyrocket app adoption. |
I’ve moved to hosting wemx along with pterodactyl. They plan to provide SSO, the code is there I just needs some final tweaking. It also makes it easy for me because I can set a low price for my friends and just give them credit. This way they are actually using the servers they created.
Best Regards,
Zach Stinnett
…________________________________
From: Avsynthe ***@***.***>
Sent: Wednesday, December 20, 2023 1:54:47 PM
To: pterodactyl/panel ***@***.***>
Cc: zach78954 ***@***.***>; Comment ***@***.***>
Subject: Re: [pterodactyl/panel] Authentication using http header (Issue #4026)
Personally, i'm selfhosting many public facing services which my family or friends use. Pterodactyl is one of many, and a http header auth implementation would help me unify all logins at a central location like Authentik. Sadly, i still can't see this on the roadmap. Can anybody give an update on this issue?
This is me. I provide loads of services to friends and family using Authentik as the auth and ID server. Basically anything that doesn't support some form of SSO I've delayed providing because it's just a headache. I feel like these last 12 months most services have really pushed to get some form of SSO implemented, seems like the big thing now haha.
This would be amazing to see and would complete and round out what is an awesome service. It's features like this that skyrocket app adoption.
—
Reply to this email directly, view it on GitHub<#4026 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AB3FN76XJOONPBLNCWOGDZ3YKNGBPAVCNFSM5R2X3ZZ2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBWGUYTENJTGUYA>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Also keen to throw my support behind this feature. Happy to help test it as it's developed if required. Use case is I run Kanidm and Cloudflare Tunnel, user experience isn't great when you OAuth to Cloudflare then have to auth separately to the panel. |
So whats the latest update on this? I would love to have this integration, but I don't have any experience with PHP to implement this myself. |
Hello. Any updates on this feature request? |
🚀 Bounty Alert!💰 A bounty of $50.00 has been created by Trevor159 on BountyHub for this issue. 🔗 Claim this bounty by submitting a pull request that solves this issue! You can also increase the amount of the bounty if you think the issue is worth more. Good luck, and happy coding! 💻 |
I've submitted a pull request (#5271) that implements header-based authentication. The implementation includes:
This should provide a simple way to integrate with SSO providers like Authelia or Authentik without requiring complex LDAP, SAML, or OIDC implementations. |
Thanks for this great contribution! |
Awesome PR! With small annoy changes, I was able to use some of your code to implement mTLS-based authentication to the web panel. |
Is there an existing feature request for this?
Describe the feature you would like to see.
It would be nice to allow authentication via an HTTP-header containing the username. This would allow using proxy authentication via sso providers like Authelia or Authentik and by this, it would also be possible to authenticate using ldap or oidc.
Describe the solution you'd like.
Additional context to this request.
Http header authentication basically works like this:
I am aware that other requests for ldap (#594), saml (#2635) and oidc (#3990) have been dismissed for being too time-consuming to implement.
Using an HTTP-header, however, would be much simpler to do.
Many other services do this as well, for example Paperless
and Firefly III
I think, this would be a good solution for all the users who wanted to have ldap, saml or oidc. And it should not be too complicated to implement 🙂 What do you think?
The text was updated successfully, but these errors were encountered: