Authentication for private pages #2769
Comments
arrowak
added
feature
|
Docusaurus is a static site generator, it is not a server, so we cannot control access to pages. What you want, I think, can be done through a reverse proxy, for example, https://github.com/bitly/oauth2_proxy |
This comment has been minimized.
This comment has been minimized.
|
It appears that https://github.com/bitly/oauth2_proxy repo is not maintained anymore. It has also been marked read-only by its owner. I am not sure if I want to use it for production purposes. |
|
See other projects, there are links in that repo. Moreover if that project is no longer maintained, this does not mean that this is not a working solution. In any case, that was only the first example I know, you can find other options. I mean, this issue still doesn't apply to Docusuarus directly.
|
Whoops! Boy, did I miss that notice. Thanks again. I understand the static only nature of Docusaurus. May be we should let it be what it is. Closing the ticket on that note. |
|
You can make authentication work in a stateless manner like the APIs do. You can either use a 3rd party authenticator or use your own API authentication and do a stateless authentication. Docusaurus can be static but in the end every site is generating a static content. If your static site shows some data from API or backend you can authenticate yourself. But yes, not concern of Docusaurus. |
I was thinking along the same lines and even have User Management System API built with Flask. It handles all the work of authentication. But now I wonder,
|
|
Yes you can do anything authorized and authenticated using this way. If you are able to provide a hash to the user like JWT or any other authentication service token, since you can store in the cookie as you mentioned, you can store some basic user attributes like roles etc in the cookies and according to the user role you can show or hide content in docusaurus. And let's say user wanted to change in their cookie and revealed some menu items like another user role's menu item or page style. When they submit the altered cookie or user auth token to your API you still won't authorize to show the data they try to hack. Once you can authorize every request at the backend side you will never reveal sensitive data. Let's revisit how you can customize the content according to the user role. Let's assume you get the user role from the cookie as it is taken from the token or your auth api and you know the current user is Role-A user. Show role-a pages, menu items to the user that is all. You can show different docusaurus top menu items using this method. If you don't want a user view a specific page even if they alter the cookie, just authorize the page at the begining using your Auth API and get the authorized or unauthorized response and show a message or redirect. That is all. |
|
If you are asking how to send API requests from docusaurus, I suggest you to use |
Thank you for such a succinct high level overview. So now here lies the crunch point: specifics.
Thank you for any light you shed. |
|
Not 100% sure I agree with everything here. Docusaurus builds a static site. IE the content is exactly the same for all users. If you want different content displayed for different user roles, you have to:
Remember all these are concerns that are outside the scope of Docusaurus. In the end, we just build a static React site. |
slorber
removed
the
status: needs triage
|
@LexxLuey well, in any page you can make the http (API) requests. If a page is supposed to be authorized by the API you should call your api from that page (Reactjs pages not markdown pages I am saying). |
I understand this is a static site generator. no doubt. i am only asking if it is possible. If it is not, then that's okay. I felt it was possible to limit what pages are displayed. |
|
I am trying to add Keycloak identity provider to my docusaurus website through plugin configuration. can anyone suggest which package to use to create plugin? |
|
As a side note: what does not work is to add http basic authentication to subdirectories of what Docusaurus builds. For instance, if you add HTTP authentication to So it appears that protecting part of a site (as in one or more subdirectories) is fundamentally not possible with how Docusaurus is currently designed, is that correct? |
|
@godmar the problem is that you don't only want to protect the html static pages, but also protect the JS code that permits to generate those pages dynamically on the client. That JS is code-split into the If you want to have a Regarding dynamic client-side routes, one example to take inspiration from is our feature request page. The data you see on this page is not static, it is only loaded later, after the initial React hydration: https://docusaurus.io/feature-requests/p/comments-in-documents-or-blogs Plugin code: https://github.com/facebook/docusaurus/tree/main/website/src/plugins/featureRequests |
|
do you have document about how to use the [featureRequests] plugin? (https://github.com/facebook/docusaurus/tree/main/website/src/plugins/featureRequests) |
|
The feature request plugin is not an officially distributed plugin. I mentioned it above only as an open-source example so that you can take a look at its code. |
|
Since I recently succeeded in protecting (the whole) docusaurus deployment for private documentation sites with user login, I thought I would share my example. It is using docusaurus, PocketBase for user management and auth and vercel for (more or less static) deployment. I might also add a blog post about it soonish. One could then have |
🚀 Feature
Add the authentication layer to support hosting the private pages in the same documentation site.
A simple example:
Let's say we have an "API integration guide" which is generic and open to anyone who wants to integrate it.
Let's say we have some premium partners for whom we have some custom APIs documented with some confidential parameters and values (on and above public ones), which are not to be exposed to the world.
We would want to enable auth for these premium partners for such pages.
I guess this would make a very reasonable addition to the product
Have you read the Contributing Guidelines on issues?
YES
Motivation
We have stumbled upon a request from one of our premium partners that, in addition to the public API documentation we are having, they want us to enable authentication based documentation which encapsulates custom APIs and Parameters implemented exclusively for them. Also, this is seemingly becoming a common ask among such premium partners.
Also, I don't think this is an uncommon request. Many people/organisations might just fly-by and not report this feature request and move on to something else to fulfil their requirements.
Pitch
This feature will enable a secure access to some private documents while still using all the goodness of the Docusaurus system. Basically, the private documentation should not become a reason for people to look for alternatives and eventually end up using a much complicated, paid service/product.
Supporting feedback from one of the users - https://v2.docusaurus.io/feedback/p/could-we-add-an-authentication
The text was updated successfully, but these errors were encountered: