| auduny | |
| Jan 31 2012, 3:06 PM |
| F1215969: Screen Shot 2016-04-12 at 10.44.42 AM.png | |
| Apr 12 2016, 5:45 PM |
(Moving priority to "Needs Triage" since I accidentally put it to "normal" when i created it - Feel free to set it to Low)
It would be wonderfull if phabricator could have a basic-auth "auth" meaning that apache/nginx/whatever is the one that authenticates the user and phabricator just trusts and creates user based on $_SERVER['REMOTE_USER']
That would also sort of solve T742 since apache can use ldap as a backend for basic-auth.
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Wontfix | epriestley | T814 Support HTTP Basic Auth as an authentication mechanism | ||
| Restricted Maniphest Task | ||||
| Restricted Maniphest Task | ||||
| Restricted Maniphest Task | ||||
| Restricted Maniphest Task |
This is fairly easy to do for the web, but pretty hopeless/messy for Conduit and has a lot of undesirable implications for policy enforcement. Since we now support LDAP and password-based registration I don't plan to implement this.
If you're unfazed by the mess this implies, you can implement it yourself by extending PhabricatorAuthProvider; providers are now automatically discovered at runtime.
@psigen build an implementation of this and solved the Conduit thing by scoping the auth requirement:
https://github.com/psigen/libphremoteuser
I plan to bring this to the upstream when I have some time.
I made an AuthProvider that performs basic authentication via $REMOTE_USER and packaged it as a library:
https://github.com/psigen/libphremoteuser
It's pretty simple, feel free to steal whatever chunks you need.
REMOTE_USER can come from a lot more sources than just HTTP Basic Auth. E.g. I would use it for GSSAPI authentication. Could you maybe change the bug title?
Is using psigen's libphremoteuser still the only way to achieve this?
There's been no commits to his repo since 2013 and it is broken against current stable Phab.
AFAIK, it is still the only way to this. I added some bits to it to automatically populate email and name when registering, for the case where authentication is done against an ActiveDirectory instance via kerberos and LDAP, which I published at https://github.com/make-all/libphremoteuser
It appears someone else has forked it too for similar purposes, also adding icon support.
Hi guys. Unfortunately, my organization is no longer using phabricator, so I'm not really able to maintain libphremoteuser at this time.
I'm happy to help redirect people to a more active maintainer if someone wants to take it on. Also, if it happens to still be working, I can accept PRs to the README.md that help people use it. I'm reluctant to accept code PRs since I can't really vet them carefully: I'd rather just redirect people to an active fork.
Unsure if fits into this task or not but with only a single auth provider enabled for login it would be nice if it were transparent (and got automatically selected) rather than requiring the user to press a button.
That feature exists, but it's currently only supported for the Phabricator provider. There's no technical reason we can't support it on other providers, it was just built very narrowly for a Phacility (SAAS) use case and it was simpler to keep it narrowly scoped:
At this point, I don't anticipate this ever coming upstream. This is probably a good candidate for third-party maintenance after T5055.