Page MenuHomePhabricator

Support HTTP Basic Auth as an authentication mechanism
Closed, WontfixPublic

Description

(Moving priority to "Needs Triage" since I accidentally put it to "normal" when i created it - Feel free to set it to Low)

It would be wonderfull if phabricator could have a basic-auth "auth" meaning that apache/nginx/whatever is the one that authenticates the user and phabricator just trusts and creates user based on $_SERVER['REMOTE_USER']

That would also sort of solve T742 since apache can use ldap as a backend for basic-auth.

Event Timeline

auduny triaged this task as Normal priority.Jan 31 2012, 3:06 PM
auduny added a project: Phabricator.
auduny added a subscriber: auduny.
hvaara added a subscriber: hvaara.Feb 16 2012, 8:50 AM
auduny raised the priority of this task from Normal to Needs Triage.Apr 27 2012, 7:38 PM
auduny updated the task description. (Show Details)
btrahan triaged this task as Low priority.May 15 2012, 3:00 PM
btrahan added a subscriber: btrahan.
paxswill added a subscriber: paxswill.
epriestley edited this Maniphest Task.Feb 11 2013, 5:08 PM
hvaara removed a subscriber: hvaara.Feb 11 2013, 5:09 PM
epriestley closed this task as Wontfix.Jun 20 2013, 6:39 PM

This is fairly easy to do for the web, but pretty hopeless/messy for Conduit and has a lot of undesirable implications for policy enforcement. Since we now support LDAP and password-based registration I don't plan to implement this.

If you're unfazed by the mess this implies, you can implement it yourself by extending PhabricatorAuthProvider; providers are now automatically discovered at runtime.

epriestley reopened this task as Open.Aug 16 2013, 12:12 AM

@psigen build an implementation of this and solved the Conduit thing by scoping the auth requirement:

https://github.com/psigen/libphremoteuser

I plan to bring this to the upstream when I have some time.

I made an AuthProvider that performs basic authentication via $REMOTE_USER and packaged it as a library:

https://github.com/psigen/libphremoteuser

It's pretty simple, feel free to steal whatever chunks you need.

Awesome news. Thanks guys.

epriestley renamed this task from Basic Auth to Support HTTP Basic Auth as an authentication mechanism.Jan 6 2015, 12:52 AM

REMOTE_USER can come from a lot more sources than just HTTP Basic Auth. E.g. I would use it for GSSAPI authentication. Could you maybe change the bug title?

Is using psigen's libphremoteuser still the only way to achieve this?

There's been no commits to his repo since 2013 and it is broken against current stable Phab.

avivey changed the visibility from "All Users" to "Public (No Login Required)".Oct 30 2015, 3:03 AM

Is using psigen's libphremoteuser still the only way to achieve this?
There's been no commits to his repo since 2013 and it is broken against current stable Phab.

It's not broken, I eventually sorted it. The first question still stands. Thanks!

AFAIK, it is still the only way to this. I added some bits to it to automatically populate email and name when registering, for the case where authentication is done against an ActiveDirectory instance via kerberos and LDAP, which I published at https://github.com/make-all/libphremoteuser

It appears someone else has forked it too for similar purposes, also adding icon support.

Hi guys. Unfortunately, my organization is no longer using phabricator, so I'm not really able to maintain libphremoteuser at this time.

I'm happy to help redirect people to a more active maintainer if someone wants to take it on. Also, if it happens to still be working, I can accept PRs to the README.md that help people use it. I'm reluctant to accept code PRs since I can't really vet them carefully: I'd rather just redirect people to an active fork.

eadler added a project: Restricted Project.Apr 7 2016, 6:13 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 7 2016, 6:13 PM

Unsure if fits into this task or not but with only a single auth provider enabled for login it would be nice if it were transparent (and got automatically selected) rather than requiring the user to press a button.

That feature exists, but it's currently only supported for the Phabricator provider. There's no technical reason we can't support it on other providers, it was just built very narrowly for a Phacility (SAAS) use case and it was simpler to keep it narrowly scoped:

Should I file a separate task for the general feature request?

kaya added a subscriber: kaya.May 26 2016, 3:16 AM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jul 4 2016, 9:05 PM
urzds added a subscriber: urzds.Jul 12 2017, 11:15 AM
epriestley closed this task as Wontfix.Dec 12 2018, 8:23 PM

At this point, I don't anticipate this ever coming upstream. This is probably a good candidate for third-party maintenance after T5055.