Story #2361
closedAs a user, I can authenticate using an external authority
0%
Description
The suggestion is to use apache modules for external auth and to look up username in the REMOTE_USER* environment variables.
In this case we need to extend djangorestframework-jwt to trust the REMOTE_USER_* environment variables when creating tokens.
We should also take care of the auto-creation and update of the external users in Pulp.
External authentication is expected to be used as an initial authentication to obtain JWT token and not to be used on every request.
Relevant info from the proposal:
REMOTE_USER_*
---------------------------mod_lookup_identity is the recommended solution by the FreeIPA project for allowing a web app to discover user identity and related attributes from a trusted authentication source. It uses SSSD to lookup attributes, and then it sets various REMOTE_USER_* environment variables within the context of a request. Any web application can then trust those values, making it a simple integration point.
Commonly-available attributes include username, email, first name, last name, and group membership.
Auto-Creation of Users
--------------------------------In addition to looking for and trusting the REMOTE_USER environment variable, the drf-jwt token creation view would be extended to automatically create and update users. When invoked, it would:
- trust the REMOTE_USER value for authentication
- if the user exists in the DB, update its attributes with the other REMOTE_USER_* values
- if the user does not exist in the DB, create it based on the REMOTE_USER_* values
Related issues