orinoco/dump-things-server
5
0
Fork 1
Code Issues 29 Pull requests Packages Activity Actions

Support external identity provider/authentication source #102

New issue
Closed
opened 2025-08-16 06:32:03 +00:00 by mih · 4 comments
mih commented 2025-08-16 06:32:03 +00:00 (Migrated from github.com)
Copy link

Presently, access token and user identity need to be hard-coded in the server config. With our next deployment, this means >100 users. This implies substantial maintenance load:

  • C&P errors for user ID and sending auth tokens
  • token updates for users that lost their token, or from mandatory invalidation

An external identity provider would help here. Below is a sketch of a possible scenario that would be very convenient for our use cases:

Only have the following in the config, for a particular (or all) collection(s):

  • Forgejo API root
  • identifier of a forgejo project
  • Forgejo API access token with appropriate permissions for that project

With an incoming request, the server checks whether an included token gives (a particular kind of) access to the configured project. If so, it grants access to the dump and perform the action, using the Forgejo user identity.

With this setup, users only need to be added once to the respective project, and from there on can generate and regenerate access tokens whenever they want or need.

Presently, access token and user identity need to be hard-coded in the server config. With our next deployment, this means >100 users. This implies substantial maintenance load: - C&P errors for user ID and sending auth tokens - token updates for users that lost their token, or from mandatory invalidation An external identity provider would help here. Below is a sketch of a possible scenario that would be very convenient for our use cases: Only have the following in the config, for a particular (or all) collection(s): - Forgejo API root - identifier of a forgejo project - Forgejo API access token with appropriate permissions for that project With an incoming request, the server checks whether an included token gives (a particular kind of) access to the configured project. If so, it grants access to the dump and perform the action, using the Forgejo user identity. With this setup, users only need to be added once to the respective project, and from there on can generate and regenerate access tokens whenever they want or need.
mih commented 2025-08-16 07:23:22 +00:00 (Migrated from github.com)
Copy link

This appears to be straightforward to do:

curl -X 'GET' \
  'https://<forgejohost>/api/v1/repos/<owner>/<repo>' \
  -H 'accept: application/json' \
  -H 'Authorization: token <usertoken>'

Yield a JSON object with a permissions key:

{
  "permissions": {
    "admin": false,
    "push": true,
    "pull": true
  },
  ...
}

For a token that has no write permissions, push would be false.

This appears to be straightforward to do: ``` curl -X 'GET' \ 'https://<forgejohost>/api/v1/repos/<owner>/<repo>' \ -H 'accept: application/json' \ -H 'Authorization: token <usertoken>' ``` Yield a JSON object with a `permissions` key: ``` { "permissions": { "admin": false, "push": true, "pull": true }, ... } ``` For a token that has no write permissions, `push` would be `false`.
mih commented 2025-08-25 06:59:32 +00:00 (Migrated from github.com)
Copy link

I just realized that, while better for all other goal, it would be easier for a TRR user if the auth check would go against the TRR gitlab instance API.

I just realized that, while better for all other goal, it would be easier for a TRR user if the auth check would go against the TRR gitlab instance API.
mih commented 2025-08-26 07:28:05 +00:00 (Migrated from github.com)
Copy link

In order to place a complete submitted record, it needs two more bits of information that would need to be inferred from an API query of an identity provider:

  • submitter id
  • incoming areas label

Idea for a forgejo provider (should be doable in the same fashion for any git hoster).

submitter id

The https://<forgejohost>/api/v1/user endpoint provides a number of properties such as login, login_name, id, email, username. Any and all of these could be used as an identifier. It could become a configuration item, which of them to use for a particular deployment.

incoming area label

This could also be the submitter id chosen above, in case the shall be isolation of submitters. Alternatively, a submitter's team association could be used to determine an incoming label.

The https://<forgejohost>/api/v1/repos/<owner>/<repo>/teams endpoint lists all known teams for the reference repo. This information could be obtained once and remain cached (for some time).

From https://<forgejohost>/api/v1/user/teams it could now be determined, which team a user is part of (assuming one, and enforcing a 1:1 association). The name property of the matching team could be used as an incoming label.

In order to place a complete submitted record, it needs two more bits of information that would need to be inferred from an API query of an identity provider: - submitter id - incoming areas label Idea for a forgejo provider (should be doable in the same fashion for any git hoster). ### submitter id The `https://<forgejohost>/api/v1/user` endpoint provides a number of properties such as `login`, `login_name`, `id`, `email`, `username`. Any and all of these could be used as an identifier. It could become a configuration item, which of them to use for a particular deployment. ### incoming area label This could also be the submitter id chosen above, in case the shall be isolation of submitters. Alternatively, a submitter's team association could be used to determine an incoming label. The `https://<forgejohost>/api/v1/repos/<owner>/<repo>/teams` endpoint lists all known teams for the reference repo. This information could be obtained once and remain cached (for some time). From `https://<forgejohost>/api/v1/user/teams` it could now be determined, which team a user is part of (assuming one, and enforcing a 1:1 association). The `name` property of the matching team could be used as an incoming label.
christian-monch commented 2025-09-18 07:45:02 +00:00 (Migrated from github.com)
Copy link

Addressed by PR #129, published in version 3.1.0

Addressed by PR #129, published in version 3.1.0
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dynamic-configuration
audit-with-apply-change-set
forgejo-labels
maintenance-command
move-workflow-to-forgejo
classes-in-server-endpoint
redirect-root
linkml-test
issue-175
fix_any_of
forgejo-authsource-caching
issue-168
graphql
5.6.1
5.6.0
5.5.0
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.1
5.2.0
5.1.1
5.1.0
5.0.3
5.0.2
5.0.1
5.0.0
4.7.0
4.6.1
4.6.0
4.5.3
4.5.2
4.5.1
4.5.0
4.4.0
4.3.1
4.2.0
4.3.0
4.1.1
4.1.0
4.0.0
3.6.0
3.5.0
3.3.3
3.3.2
3.3.1
3.3.0
3.2.1
3.1.0
3.0.1
3.0.0
2.4.1
2.3.4
2.3.3
2.4.0
2.3.2
2.3.0
2.2.0
2.1.0
2.0.1
2.0.0
1.1.0
1.0.0
0.5.0
0.4.0
0.3.0
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
0.2.2
0.2.1
0.2.0
0.1.1
0.1.0
labelless
Labels
Clear labels   
bug

Something isn't working

  
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
question

Further information is requested

  
wontfix

This will not be worked on

No labels
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
orinoco/dump-things-server#102
No description provided.