BookStack icon indicating copy to clipboard operation
BookStack copied to clipboard

Published 20 hours ago verified publisher icon BookStackApp

Mix/combine `AUTH_METHOD` options

Open pbordon opened this issue 3 years ago • 10 comments

Exist the possibility to login in a mixed method: LDAP or simple user registration, defined by user?

pbordon avatar Apr 27 '21 14:04 pbordon

Hi @pbordon, Would you be able to provide insight into the environment where you'd want this within and the benefits this would bring?

ssddanbrown avatar Apr 30 '21 20:04 ssddanbrown

In my organization, we have internal users, connected to an AD and external users, which are many and vary over time. Therefore I wanted to implement the login via LDAP for internal users and for external users to register separately.

pbordon avatar May 03 '21 15:05 pbordon

Updating this to be generic to methods, and merging similar issues into this.

ssddanbrown avatar Nov 08 '22 12:11 ssddanbrown

Any plans to add this to your roadmap or implement this? Internal SSO with guest access seems pretty common.

abulgatz avatar Feb 05 '23 01:02 abulgatz

@abulgatz Probably not anytime too soon, to be totally honest. It's high-risk, low demand, low target audience, high support & maintenance. Therefore it doesn't look worth including at this time.

ssddanbrown avatar Feb 05 '23 19:02 ssddanbrown

I'm in the same case, I mean I've contents for internal users (azure), and content for customers (self register)

Fabsky avatar Jul 06 '23 00:07 Fabsky

Hi, I have opened #4401 and because it was closed, I would like to continue the discussion here.

One of the reasons why we would like to see this features was:

So, I understand that its not a high level feature request on your roadmap. In our opinion, the ability to authenticate with different types of identities (local db users, oidc, ldap) is somethink like industry standard and should be possible.

On of the reasons is the following: Typically, OIDC providers are services in the cloud (if you use SAAS IDPs it might be auth0, or if you self host a IDP, it might be located on a remote site of your company).

If you only allow OIDC at the same time, you cant login to bookstack anymore if you dont have WAN/Internet connectivity anymore. And because we would like to use bookstack as documentation system for emergency manuals too, we would like to have the possibility to login with different types of accounts ( local db accounts or maybe ldap accounts from a local Active directory) as fallback method.

A admin should always have the possibility to access a system in case of technical problems (bad WAN/Internet connectivity).

This was answered by @ssddanbrown with the following argument:

Okay. Could always flip the auth method in an emergency.

This would be like changing the electronic door locks against bearded locks in case of power failure before entering the building.

And changing a config only to access your documentation system is not what you want to do in an emergency situation. And not everyone who need access to the system in such a situation has the ability or possibility to do this.

mfatfhg avatar Jul 26 '23 09:07 mfatfhg

@GitTH Like this:?

Open image here

image

Third party auth sources work alongside primary auth options, so you may be able to use Azure/Google third party options alongside standard email auth.

ssddanbrown avatar Apr 24 '24 13:04 ssddanbrown

Plus one for this feature request. LDAP may work or not, but I would like to configure a local Admin access anytime. Gitea has this feature, and it makes it easy to configure an admin for mainenance and config, without depending on LDAP, while importing local users with LDPAP. My scenario is simpler than generic mix and match, and could be a starting point.

simonpa71 avatar Apr 29 '24 08:04 simonpa71

This feature would be very useful. This way we would be able to sign in from our internal system using SAML2 and have external accounts who sign in using email and password.

CamaroSS avatar Jun 10 '24 10:06 CamaroSS