Direct redirect if single oauth2 provider #145
Conversation
My concern is that it will bypass the possibility to use a local LDAP account. So I'd make it configurable in the application.yaml |
|
Do you have a local ldap configuration on your gateway ? Maybe we could redirect if "no ldap" + "only one oauth2 service". But having no ldap also means having no basic-authentication, so it sounds as an uncommon georchestra setup (even if the gateway should allow it). |
|
I have a LDAP, but the WordPress at our domain root provide SSO via CAS. I think the same problem will occur if external applications need SSO with georchestra I corrected the PR to only redirect if ldap is disabled |
|
No objection with the PR, any other thoughts @f-necas ? |
|
No objection for this ! but just wondering how roles are managed/mapped to make apps within georchestra works. |
I've never been able to have the OIDC endpoints from CAS working, and I cannot remember if CAS oauth2 implementation is releasing extra attributes so that the gateway could also do authorization, so I cannot tell, but on at least one project (DT), you can connect onto the gateway with an OIDC provider, and no LDAP interactions are needed. |
|
I will also have to solve this. Currently it look like attribute released from the CAS are not mapped in the headers. So I have null null as user in header for example. I've seen that we can also release attributes via oauth2, so it should be possible to map them to sec-* headers. |
This PR aim to skip the OAuth2 service selection if there is only one available and directly use it.
Can solve #139
Can it be a good solution ?