Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
OpenID authentication + API for authorization #3101
Hi, congratulations for building such a good product.
Would it be possible to authenticate users with any OpenID Connect provider? The PR #2818 is specific to Google. It would be great if we could have something more generic.
To provide more context: we would like to centralise authentication and authorisation in one place for the different front-ends and APIs we provide to our enterprise users. In order to achieve this we are looking at options like OpenAM or CAS. The advantage of having a centralised authentication and authorisation server is that you don't need to duplicate roles and permissions in the different front-ends and APIs. Our enterprise users would ultimately be authenticated with LDAP; using an authentication and authorisation server would allow us to become an OpenID connect provider and check credentials with LDAP. Should #1488 advance further, direct LDAP integration from Metabase could also be an option.
Concerning authorization and related to #3088 and #1175, it would be very interesting for us if there could be a generic API/endpoint that we can implement to check if a user can access a specific resource, in the same way in OAuth 2.0 a resource server (server hosting the protected resources; in this case Metabase) may interact with the authorization server (server issuing access tokens; our central authentication and authorization server) to check if a user has access to a resource; this would avoid defining roles for users and resources directly in Metabase.
Let us know if these widely adopted protocols and solutions (OpenID connect, separating authorisation server and resource server concerns) would make sense for Metabase and how we can help to make it happen.
regarding " it would be very interesting for us if there could be a generic API/endpoint that we can implement to check if a user can access a specific resource", are you referring to an API you'd program against in a fork? E.g. where for each card that function would call another server and ask if user X could access that item?
Yes, exactly. It's good practice in software development to define interfaces (to decouple implementation from how functionality is used throughout the application); it makes your app more modular and easier to refactor sections of the code (which is often necessary sooner than one would desire). In this case it would suffice to have an interface with a method