Added configuration option to skip OIDC authorization checks for certain endpoints #969
Conversation
|
Thanks for the pr! that's a very useful feature. I think we need to document it better, especially for less technical users who may not be familiar with the term "endpoint", and include examples of it in https://sql-page.com/sso/ Also, I'm wondering whether a prefix whitelist wouldn't be more useful than an individual endpoint blacklist. When you have a public site that has a subsection that is reserved to authorized users, you would configure {
"oidc_protected_path_prefix": ["/private"]
}This way you could put authenticated files in a folder and not have to configure more. |
This commit replaces the OIDC endpoint blacklist with a path prefix whitelist. This is a more intuitive and secure approach for managing protected routes. The new `oidc_protected_paths` configuration option allows users to specify a list of URL prefixes that require OIDC authentication. By default, all paths are protected. The documentation has been updated to reflect this change, with clear examples and more user-friendly language.
This commit improves the OIDC documentation and the "single sign on" example to better demonstrate how to create a selective login system. The main documentation now includes a section on creating a public login page and the "single sign on" example has been updated to reflect this pattern.
This commit improves the "single sign on" example to better demonstrate a public information page that adapts to the users login status and a separate protected page.
This commit updates the main configuration documentation to reflect the new `oidc_protected_paths` option. It removes the outdated `oidc_skip_endpoints` and provides a more detailed explanation of how to create a mix of public and private pages.
- Update docker compose command to use `--watch` flag - Add watch configuration for SQLPage development - Enhance login page with hero component and better styling - Simplify protected page welcome message - Fix OIDC middleware path check logic - Update protected paths in config to use `/protected` instead of `/protected.sql`
We still want to be able to access authenticated user's info in non-authenticated parts of the app. We crucially need to check request.path() == SQLPAGE_REDIRECT_URI before the protected_paths check
|
@lenardt-gerhardts I made a few changes, let me know what you think |
|
Yeah I thought about regex pattern matching for the endpoints, to get rid of problems with assets a colleague of me had. That being said I really like your idea We could also implement both and let the user decide, which method they want to use. In my opinion a Whitelist is the better option security wise, but of course both can be misconfigured. Let me know if you want me to work on the whitelist and if it should contain the regex or not :D |
|
Yes, good idea. Could you add an I think regex configuration is more complicated than needed, and is hard to teach to folks who are not already comfortable with regular expressions. |
|
On it. I would personally like to be able to use wildcards like "/*.private.sql" but i'll leave that decision to you. |
|
I've added the whitelist option. |
The documentation now provides clearer examples and explains the interaction between public and protected paths more precisely. Also removes the now-unused default_oidc_public_paths function since the field's default is handled by serde's default for Vec.
The new `is_public_path` method consolidates the logic for checking if a path should bypass OIDC authentication. This replaces the previous inline checks for public and protected paths.
- Change hero image path in login page - Remove protected.sql as it's no longer needed - Update sqlpage.yaml to allow public access to /protected/public
2 participants
Added a configuration field called "oidc_skip_endpoints" which is a Vec of endpoints that should be ignored by the OIDC Authentication.
This would also resolve issue #949