Skip to content

☂️ support for external authentication via identity-aware proxies (a.k.a. "header-based auth") #11901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 of 8 tasks
johnstcn opened this issue Jan 29, 2024 · 2 comments
Open
1 of 8 tasks

☂️ support for external authentication via identity-aware proxies (a.k.a. "header-based auth") #11901

johnstcn opened this issue Jan 29, 2024 · 2 comments
Labels
☂️ epic An issue of issues

Comments

@johnstcn
Copy link
Member

johnstcn commented Jan 29, 2024
edited
Loading

This is an umbrella issue to track support for external authentication via identity-aware proxies ("header-based auth") such as Google Cloud IAP, Microsoft Entra Application Proxy, and AWS Verified Access.

At a high-level, this includes the following changes:

  • Adding support for Coder to read and validate a JWT from a configurable HTTP header
  • Authenticating users from configurable claims in the above JWT.
  • Associated refactoring, testing, and other cleanup as required.

RFC: https://www.notion.so/coderhq/External-Authentication-via-Identity-Aware-Proxies-a-k-a-header-based-auth-2217b65064b54f06a68258729db5dd76?pvs=4

Must haves:

  • Write an RFC for external authentication via identity-aware proxies #11902
  • header-based auth: Refactor httpmw.APIKey middleware to expose an interface
  • header-based auth: Implement enterprise httpmw.JWTAuth to authenticate users via JWT claims
  • header-based auth: Integrate enterprise httpmw.JWTAuth into enterprise/coderd
  • header-based auth: Add a /debug endpoint to dump JWT claims
  • header-based auth: Add documentation regarding authentication via identity-aware proxies

Nice to have:

  • header-based auth: Add support for automatically creating users based on JWT authentication claims
  • header-based auth: Create a path to migrate existing users from either built-in or OIDC authentication to "proxy" authentication.
@johnstcn johnstcn added the ☂️ epic An issue of issues label Jan 29, 2024
@johnstcn johnstcn self-assigned this Jan 29, 2024
@cdr-bot cdr-bot bot added the feature label Jan 29, 2024
@johnstcn johnstcn changed the title umbrella issue: support for external authentication via identity-aware proxies umbrella issue: support for external authentication via identity-aware proxies (a.k.a. "header-based auth") Jan 29, 2024
@matifali matifali changed the title umbrella issue: support for external authentication via identity-aware proxies (a.k.a. "header-based auth") ☂️ support for external authentication via identity-aware proxies (a.k.a. "header-based auth") Jan 29, 2024
@james-d-elliott
Copy link

james-d-elliott commented Mar 10, 2024
edited
Loading

Authelia maintainer here. May also be nice to have a means to explicitly configure a header with the username or email of the already authenticated end-user. Provided there is sufficient warning about ensuring the header is explicitly set by the proxy. Willing to assist with any questions either regarding the original FR/DP or the followup.

@mike-sol mike-sol mentioned this issue Aug 23, 2024
Closed
@mike-sol
Copy link

I would definitely start with a simple header bearer-token style mechanism to allow bypassing such an IAP for Coder agent connections

@ethanndickson ethanndickson mentioned this issue Aug 28, 2024
Merged
@matifali matifali removed the feature label Oct 14, 2024
@johnstcn johnstcn removed their assignment Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
☂️ epic An issue of issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@james-d-elliott @johnstcn @mike-sol @matifali