MobileRead Forums - View Single Post - External pre-authentication (instead of oauth/oidc)

netchild · 05-03-2024, 07:55 AM

Hi,

I've read that oauth (or oidc) doesn't seem to be on the plate as an alternative to the existing http auth. What about an optional external pre-authentication method?

What I have in mind is a way to specify for the server to not ask for the http auth (--auth-mode=pre --enable-auth) and to specify which http header is providing the username (--http-user-header=ABC), and the calibre server would blindly use the username from this header without any password. This way a tool in front of calibre (be it apache/nginx/whatever, or an oauth2-proxy) could then authenticate the user and provide access to various libraries via --manage-users (the password part is then useless/ignored in this mode).

To illustrate it a bit more:
- user goes to https://my.calibre.site/
- the webserver/reverse-proxy at my.calibre.site does the TLS handshake, sees the user is not authenticated, and provides a login page to the user without doing any request to the calibre server
- once the webserver/reverse-proxy has authenticated the user, it sets "X-My-Private-HTTP-Header: the-user-name" and makes a request to the calibre server
- the calibre server was configured to not send an http auth required but to use the username from the X-My-Private-HTTP-Header to check the access permissions versus the userdb (without validating/requesting any password itself) and provide only access to those libraries which the user is allowed to see

As an example, the oauth2-proxy on github has the option (https://oauth2-proxy.github.io/oauth...tion/overview/) "pass-user-headers" which then sets the http headers X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username to upstream after authentication. Calibre server could then be configured to use one of those to match against the calibre-internal userdb.

As side notes:
1) Calibre could gain free group management this way (free = no group-management code needed inside calibre), by entering group names inside calibre in the place of user names. By providing a group name by the preauthentication solution in the header field instead of the username the user would be still be authenticated based upon his private password/token, but calibre would only the see group name, match that group name against the username in the userdb, and give access to some of the libraries based upon the --manage-users settings for this username.
2) Depending on what is used to preauthenticate against, there is even free self-service password management/recovery. For some family members this is quite handy sometimes...

Thanks for considering this feature request.

05-03-2024, 07:55 AM	#1
netchild Junior Member Posts: 8 Karma: 10 Join Date: May 2024 Location: Germany Device: webserver	External pre-authentication (instead of oauth/oidc) Hi, I've read that oauth (or oidc) doesn't seem to be on the plate as an alternative to the existing http auth. What about an optional external pre-authentication method? What I have in mind is a way to specify for the server to not ask for the http auth (--auth-mode=pre --enable-auth) and to specify which http header is providing the username (--http-user-header=ABC), and the calibre server would blindly use the username from this header without any password. This way a tool in front of calibre (be it apache/nginx/whatever, or an oauth2-proxy) could then authenticate the user and provide access to various libraries via --manage-users (the password part is then useless/ignored in this mode). To illustrate it a bit more: - user goes to https://my.calibre.site/ - the webserver/reverse-proxy at my.calibre.site does the TLS handshake, sees the user is not authenticated, and provides a login page to the user without doing any request to the calibre server - once the webserver/reverse-proxy has authenticated the user, it sets "X-My-Private-HTTP-Header: the-user-name" and makes a request to the calibre server - the calibre server was configured to not send an http auth required but to use the username from the X-My-Private-HTTP-Header to check the access permissions versus the userdb (without validating/requesting any password itself) and provide only access to those libraries which the user is allowed to see As an example, the oauth2-proxy on github has the option (https://oauth2-proxy.github.io/oauth...tion/overview/) "pass-user-headers" which then sets the http headers X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username to upstream after authentication. Calibre server could then be configured to use one of those to match against the calibre-internal userdb. As side notes: 1) Calibre could gain free group management this way (free = no group-management code needed inside calibre), by entering group names inside calibre in the place of user names. By providing a group name by the preauthentication solution in the header field instead of the username the user would be still be authenticated based upon his private password/token, but calibre would only the see group name, match that group name against the username in the userdb, and give access to some of the libraries based upon the --manage-users settings for this username. 2) Depending on what is used to preauthenticate against, there is even free self-service password management/recovery. For some family members this is quite handy sometimes... Thanks for considering this feature request.