Add User Authentification to oxidized-web

[robertcheramy]

I want to add a user authentication to Oxidized-web. It should:

• Be Optional
• Use JSON Web Token
• Use Multiple Authentication Backends
  • Local File Backend
  • LDAP Backend

[ytti]

Do consider WebAuthn if at all reasonable.

Why I wanted originally this to be handled by front-end is because I don't think there is much hope of creating solution that isn't bypassable in numerous ways and then it becomes Oxidized responsibility, instead of the front-end.

[eoprede]

Just wanted to provide background as to why this may be useful - I am running oxidized in k8s environment and have a standard reverse proxy (ingress) set up that provides SSL. It can provide authentication as well, but it becomes a custom ingress that in my environment makes things messier. It is much easier to handle authentication in the application and then only handle SSL on the ingress controller side.

[ytti]

Just wanted to provide background as to why this may be useful - I am running oxidized in k8s environment and have a standard reverse proxy (ingress) set up that provides SSL. It can provide authentication as well, but it becomes a custom ingress that in my environment makes things messier. It is much easier to handle authentication in the application and then only handle SSL on the ingress controller side.

I'm not sure that rationale holds. Even if you have proxy already, which I can understand completely makes little sense to tinker for application level stuff for you. You still can include in your Oxidized application another mature HTTP proxy, like lighttpd, nginx or caddy.

I am not going to reject adding user authentication to Oxidized, but it is definitely going to be security problem. It absolutely will contain bugs that allow bypassing it, and it will be our responsibility. I don't think we can compete with any of the mentioned projects in security and they already aren't great.

But I guess no one really cares about security, this is about convenience, you get user auth, against your AD (via LDAP backend) and it all comes out of single source, instead of maintaining additional proxy. And that I agree is legitimate argument.

[github-actions]

This issue is stale because it has been open 90 days with no activity.

[robertcheramy]

Note - adding Authentification could break some features like reload source in https://github.com/ytti/oxidized/blob/master/extra/auto-reload-config.runit