far to many dependancies on windows users and ad auth

[figuerres]

SSRS needs some re-working to make it work with modern auth systems that are not based on a windows user account or asking the user for a password. Oauth, Open ID connect, JSON Web Tokens need to be pluggable to SSRS.

[YvesR]

I agree it would be a good idea but it is probably a complex topic. Authentication against different services is the easy part imho, but how to do authorization? At the moment every authorization request is done directly against the active directory. To change that SSRS will need own data tables for for groups and mappings.

[mcb2k3]

From what I can see from Googling, some developers are implementing custom security for SSRS 2016 Web Portal. It is a rewrite that should support modern authentication methods.

If you build a web app that incorporates a report viewer, either the VS one or custom, RS web service authentication and authorization can occur on the back end, between the web server and the RS web service, using the web app identity, and user-level authentication/authorization can be performed by the web app (without involving RS) using methods of the developer's choice. That's the way I have always done it.

[figuerres]

I am in the process of working out what i can modify and what i have to keep.
i have two main cases:

1. i want to show a user a given report like the asp.net control.
2. i want some group of users to get a report portal view and give them as many options as i can for things like setting up a recurring schedule.

i think i can see how to do a JWT token to an iidentity if the request has a token in the headers.
but if no token i am not sure if i want to just return a no-auth or redirect them to login via the sts.
i have an OIDC / OAuth token server, not login forms in my app.

the other half , the per object permissions is more of an issue.
the SSRS system should allow for options to no use windows auth but ....
if i must i can create some windows groups to map to my app roles

[anujkumar-df]

As a part of a project, I had to implement custom authentication and authorization for SSRS. As said, authentication was easy part, but for authorization, I had to call RS webservice on each item, such as folder or report, depending on case, and apply authorization over it by applying policies. Authentication is called on demand, but for authorization for items is not, it should already be available as item descriptor. The point I want to make is, the authorization related information is stored with Report Server itself and it does not depend on AD.

[jtarquino]

It is in our backlog support for new authentication mechainisms however I can't provide any date yet