New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Granular SSO: private upload, public download #108
Comments
Lucky of me, I stumbled accross this issue's comment in GitLab by pure chance. I saw that he had to allow a There where other errors, which I looked at them with the console inspector and turned out to be fonts in woff2, the manifest file and SVGs (the latest for some reason didn't show up in the DevTools). It turns out that fixes everything! And when looking at this, I saw another problem with this implementation: when you click the Try Send button, it redirects to |
hello i was looking exactly for the same did you succed to fix this ? thanks |
Same Here |
Hey @HipyCas could you help me with authentik? I have set up the following, but it's not working:
|
@HipyCas I'm looking to achieve exactly the same as you. |
Hello everyone! First of all, I want to congratulate everyone for this project, I've been looking for something like this for a while and this just works amazingly well. I was first going to publish this as kind of a bug for my specific case, but I though I could just generalize to my actual main objective, so hope the issue is all good. And yes I know it is a pretty long issue, but I wanted to explain as good as I can my issue and request.
Context
Currently, I am trying to implement a SSO in a server I've set up, where I am also setting up Send. So, here is my use case:
Both the SSO and Send would be under subdomains, the SSO under
auth.server.com
andsend.server.com
(domains are just illustrative). For the SSO I'm running Authentik, and set a Proxy Provider to secure Send. This Proxy Provider is pretty simple, it checks if the user is signed in the SSO outpost (i.e. inauth.server.com
) and if it is it allows Nginx to do theproxy_pass
to send, if not it redirects toauth.server.com
so you can authenticate, bringing you back tosend.server.com
after authentication. This works perfectly, but I'm looking to configure in a way I wasn't able to, explained below.What I would like to do
I would like to require authentication only for upload, but allowing anyone to download. My first attempt was to exclude the
/download
and derived paths from the authentication proxy, allowing anyone to access them. That kinda works, I say kinda because this is what I get:What I guess is happening here is the following:
/download/<...>
😄send.server.com
that is not a path that starts with/download
, therefore Nginx requests authentication and thigs just crash 😭I thought that maybe it was trying to request some file, so I tried to configure Nginx to bypass authentication on all routes that may be a file, but I had no luck either.
The solutions I thought of
Maybe just document it
The (I believe) quickest and simplest solution is to just provide somewhere in the documentation which paths the
/download/<...>
pages request, so we can configure Nginx to exclude them. It's not specially comfortable for whoever has to configure Nginx there and looks a bit odd as solution, but I mean it would work (also requires probably LOTS of maintenance).Rewrite the paths
The first solution I thought of is setting the paths for everything that the
/download/<..>
pages request to start with a common path segment, for example/download-assets
or/download/assets
. That would make it so easy to exclude from the authentication proxy and is more of a long-term solution, thought it will probably take a lot of work and effort.My favourite: SAML (or other SSO-compatible auth method)
Before posting this, I've looked at issue #32. First of all, developing that would already be a good amount of job and incredibly great, but it doesn't completely enable SSO. It would be really great if, alongside this, Send provided the option to disable the internal auth GUI and allow SAML, LDAP or other authentication. If that seems too fancy, Navidrome for example provides a pretty basic proxy-based authentication (which is like the one I was trying to implement with Send as explained above). There is just one important difference (at least for my case and what I believe was also commented on #32) from other services implementing this kind of login: download should be exempt of this authentication. I know this may take some time to be developed, but I would be very happy if this actually pulled through :D.
That's all, thanks a lot for your work and dedication! Feel free to ask for any more details or if I haven't explained myself well enough.
The text was updated successfully, but these errors were encountered: