[Feature Request] SSO with Auth Proxy #141
Comments
|
Hi there! The feature has been added in v0.20.1. Thanks for the feature request! |
|
Thanks for implementing this, but can we have a wiki page or tutorial showing how to use/implement it? Thanks! |
|
@aiorus Sure! I put together a Wiki for this: https://github.com/hkalexling/Mango/wiki/Authentication-Methods |
|
@hkalexling Thanks! Is this AuthProxy an option within the docker container, or should I look into adding it from another container/machine? Thanks! |
|
@aiorus You would need a frontend to handle the authentication. This feature basically allows you to offload the authentication to the said frontend. It can be a reverse proxy (e.g., Apache and Nginx) or something like Organizr as the OP mentioned. If you don't know what it is you probably don't need it, and you can simply use the built-in username/password authentication in Mango. |
|
Any chance to get an sample config for nginx/Authentik forward proxy? |
Is your feature request related to a problem? Please describe.
Right now, I have users login to a frontend (in my case, Organizr), and then they have to login again into Mango. This can be cumbersome as it creates two login screens. Disabling logins is not ideal as read progress will then be shared, and the admin tab would be open for everyone. Single-Sign On (SSO) options can make the UX a lot nicer, but they can be difficult to build because there can be lots of different ways to store credentials.
Describe the solution you'd like
One new technique I am seeing being adopted is using Auth Proxy for SSO. Basically, what this does is allow you to specify header you will expect from an upstream request, and use that to set the user. You can set a specific IP or range from which to accept these headers to reduce risk of bad actors. This allows users who may be using LDAP or other options for authentication to also leverage SSO because it is relatively easy to implement server side. In this way, the development for SSO can be isolated to a simpler feature vs trying to build out integrations with multiple different SSO platforms. I've linked two known implementations for this feature below with Grafana and Calibre Web.
Grafana: https://grafana.com/blog/2015/12/07/grafana-authproxy-have-it-your-way/
Calibre-Web: https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy
A simple implementation would be to pull the username from the header, match against the User table, and log the user in based on that. A more robust implementation is how Grafana does it, which allows you to also configure the app to create a new user if the username does not exist per some default permission sets.
Describe a small use-case for this feature request
You have Mango as just one applet in a larger media server that may consist of other services like Plex, Emby, Calibre-Web, etc. Rather than having users keep track of multiple logins to access these services, you can set up a system to SSO across all of them with a single front-end, be that LDAP or Organizr or some other method.
The text was updated successfully, but these errors were encountered: