-
-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Grist doesn't respect changes in FORWARD_AUTH_HEADER when doing SSO #207
Comments
Thanks for spelling this out @helmut72. It makes sense, the |
Thank you. That would be great! |
My intention no to use authentication on all paths was the feature to share some tables with anonymous users. Using authentication on all paths even works great with 0.7.9. Now with the latest docker image and to have shared links, I need to set When it's set to One other question. What do you mean with Thank you! |
That's too bad, in that case the updates won't help you. Yes, if you do need to set a session on Grist, then you are going to have a user on Grist that could be inconsistent with the user elsewhere. There's no signal I know of that would let Grist know to remove/update it (since in your situation you're specifically omitting to pass on the auth header). Is it possible to ask Caddy to hit an endpoint to let Grist know it should remove the user? I wonder if it would be useful to have a distinct url available for sharing with anonymous users. Something with a common prefix that can be easily excluded from auth by reverse proxies. The |
An own prefix is common for API access or shared links (for example Nextcloud). This would solve the problem. Grist works perfect when the reverse proxy handles session management if authentication is on all paths, but then I lost sharing with others. |
Any update? My intention is dropping SAML/Keycloak for Authelia and using sharing also with header auth, because it would be cool to integrate Grist tables to Outline like it's possible with Airtable: Tables are better placed into something like Grist and Text is better placed into something like Outline. Thank you. |
No update, sorry. One thing I did want to mention is a currently undocumented feature where you can assign a custom id to a document, like https://templates.getgrist.com/doc/afterschool-program - see how the url is /doc/ instead of /GeNeRatED-Id/? You can set this kind of id via the api, using https://support.getgrist.com/api/#tag/docs/paths/~1docs~1{docId}/patch and supplying a Otherwise, I think implementing the feature you're looking for would mostly involve adding a new endpoint family here https://github.com/gristlabs/grist-core/blob/main/app/server/lib/AppEndpoint.ts#L301-L303 and tweaking |
Thanks! This is enough for personal use, because I'm being able to include a tables/URLs in Markdown documents and no one need an account on my Grist installation to view/open the table.
I understand that this takes a longer time, also needs testing. Will ask in some months again. ;-) Thanks for sharing this undocumented feature. Unfortunately I'm busy these days and need to test it, but this should help. |
Based on following how-tos:
https://community.getgrist.com/t/a-template-for-self-hosting-grist-with-traefik-and-docker-compose/856
https://community.getgrist.com/t/grist-authelia-custom-logout-path/967
... I have setup Grist with Caddy as Reverse Proxy and Authelia for authentication. But I think there is an error on Grist when it comes to single sign on.
For showing the problem I have installed 2 different whoami, whoami.example.com and whoami2.example.com. Both secured with Authelia. Also Grist is secured.
Logout will be catched on all 3 apps by Caddy when calling
/signed-out
:Everything works fine as long as I only use Grist for Login/Logout. When I login on another Webapp first, Grist doesn't respect the new login from another user.
The text was updated successfully, but these errors were encountered: