Quote:
Originally Posted by kovidgoyal
I have no clue what oauth-proxy is but surely it has some way to control what goes into the auth header or its basically useless. Maybe find a better proxy.
|
oauth2-proxy is a tool in the middle of a webserver and a backend (like calibre) to authenticate users. oauth2 / oidc are authentication protocols which require an authentication service as a backend. oauth2-proxy is one of the few open-source solutions in this regard, and of all the OSS solutions I've seen, it is the most capable one.
It is not a normal proxy, it is an authenticator-solution with a pass-through to the real application after successful auth:
user -> webserver -> oauth2-proxy -> sees no auth -> contacts the auth-backend (could be google, github, in my case my own oidc provider which provides multi-factor authentication like google does -> back to oauth2-proxy after successful auth -> pass-through to the backend application (calibre).
oauth2-proxy is mainly for applications which do not have an authentication or user management. And the OIDC / oauth2 single-sign-on possibility is something which is used in a lot of open source solutions. OSS webmail systems (roundcube / nextcloud), photo galleries (piwigo), personal document management systems (paperless-ngx), wordpress, wiki software and much more support oidc / oauth2 either natively or via plugins additionally to their in-build user/auth parts. Some don't, and there oauth2-proxy comes into play.
What oauth2-proxy puts into the username field makes sense, it is the uniq ID of the authentication backend which can not change. The "preferred username" or the email address which the backend provides too can be changed by the user, the ID can't. From an identity and authentication management perspective this is the right thing to do (my day to day job is in IT security, so I have a glue about this topic).
This may seem overkill to you, but it is not overkill to me (my family recipes, family photos, family documents are all protected by the single-sing-on solution). This solution regarding authentication is similar to what calibre is in the ebook world, a powerful and expert solution.
Do I understand you correctly, that you do not consider your powerfull, expert and outstanding ebook management software to be worth to be integrated into an existing, powerfull and expert authentication solution?