Revision 5a00c5be
Von Moritz Bunkus vor 3 Monaten hinzugefügt
| SL/Auth/HTTPHeaders.pm | ||
|---|---|---|
|
}
|
||
|
}
|
||
|
|
||
|
=pod
|
||
|
|
||
|
=encoding utf8
|
||
|
|
||
|
=head1 NAME
|
||
|
|
||
|
SL::Auth::HTTPHeaders - Automatically log in users based on headers
|
||
|
sent by upstream servers
|
||
|
|
||
|
=head1 OVERVIEW
|
||
|
|
||
|
This module implements two modes for automatic log in for users:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item HTTP Basic Authentication
|
||
|
|
||
|
=item passing user name & client ID via arbitrary headers
|
||
|
|
||
|
=back
|
||
|
|
||
|
The module must be enabled in the configuration file by setting
|
||
|
C<authentication.module=HTTPHeaders>. It is then configured by the
|
||
|
sections C<authentication/http_basic> & C<authentication/http_headers>.
|
||
|
|
||
|
=head1 SUPPORTED AUTHENTICATION METHODS
|
||
|
|
||
|
=head2 User name & client ID in HTTP headers
|
||
|
|
||
|
Must be enabled by setting
|
||
|
C<authentication/http_headers.enabled=1>. If enabled, it relies on
|
||
|
upstream servers (web server, proxy server) doing the authentication
|
||
|
with SSO solutions like Authelia & Authentik. These solutions must
|
||
|
then send the user name of the authenticated user in an HTTP header &
|
||
|
the desired client ID in another header.
|
||
|
|
||
|
In order to ensure no malicious third party can simply set these
|
||
|
header values, a shared secret must be configured in the configuration
|
||
|
file & sent along in a third header field.
|
||
|
|
||
|
The names of all three headers as well as the shared secret must be
|
||
|
set in the configuration file's C<authentication/http_headers>
|
||
|
section.
|
||
|
|
||
|
This mode is mutually exclusive with the HTTP Basic Authentication
|
||
|
mentioned below.
|
||
|
|
||
|
=head2 HTTP Basic Authentication (RFC 7617)
|
||
|
|
||
|
Must be enabled by setting C<authentication/http_basic.enabled=1>. If
|
||
|
enabled, it relies on the web server doing the authentication for it &
|
||
|
passing the result in the C<Authorization> header, which turns into e
|
||
|
environment variable C<HTTP_AUTHORIZATION> according to the CGI
|
||
|
specifications.
|
||
|
|
||
|
This mode only supports using the default client as no way to pass the
|
||
|
desired client ID has been implemented yet.
|
||
|
|
||
|
This mode is mutually exclusive with the "User name & client ID in
|
||
|
HTTP headers" mode mentioned above.
|
||
|
|
||
|
=head1 AUTHOR
|
||
|
|
||
|
Moritz Bunkus E<lt>m.bunkus@linet.deE<gt>
|
||
|
|
||
|
=cut
|
||
|
|
||
|
1;
|
||
Auch abrufbar als: Unified diff
Auth: POD-Dokumentation für automatisches SSO mittels gewisser HTTP-Header