signoz icon indicating copy to clipboard operation
signoz copied to clipboard
verified publisher icon SigNoz

Trusted Header Authentication

Open dakriy opened this issue 1 year ago • 5 comments

Is your feature request related to a problem?

This is related to #1188, but the solution provided in the enterprise plan is much more enterprise oriented and does not meet some of the needs that I have or that others voiced in that ticket. It would be nice to support simple trusted header auth (like what Authelia provides) without having to go to the SigNoz login page. I implemented all of the code already and don't want to maintain my own separate fork and thought other self hosters that don't have the extra cash to spare on an enterprise plan like myself could benefit. This functionality is not currently in any enterprise plan and it would serves a hobbyist need rather than the more organizational focused needs provided in the enterprise plan.

Describe the solution you'd like

Allow for simple trusted header login without showing the login page configured with environment variables (no GUI needed). This solution is already mostly implemented and working on my local dev machine.

Describe alternatives you've considered

  • Paying for an enterprise plan (I'm poor and doesn't meet my needs).
  • Maintaining my own fork :(
  • Opening up a self-hosted hobbyist SigNoz instance to the world wide web. I don't like having many different username/passwords on many different logins across my services. Also I like to protect all my services behind a more security focused trustworthy gateway as I have seen multiple 0-days occur with services I have run where having them under one single roof has prevented my home lab from getting hacked. Additionally, it is easier for people who don't keep up with movements in the security world and limited time to be pedantic about keeping one important auth service up to date rather than everything.
  • Having 2 login pages. Really annoying

Thank you guys for this project! I am loving it so far!

dakriy avatar Oct 15 '24 19:10 dakriy

Thanks for opening this issue. A team member should give feedback soon. In the meantime, feel free to check out the contributing guidelines.

welcome[bot] avatar Oct 15 '24 19:10 welcome[bot]

@dakriy are you happy to share the pull request for this feature? I also would greatly prefer to have a dedicated security focused auth gateway in front of all services. I'm happy to help maintain it on a public repo if it doesn't get merged.

dblundell avatar Nov 21 '24 10:11 dblundell

@dblundell @dakriy I opened https://github.com/SigNoz/signoz/pull/6825 as a starting point.

mgilham avatar Jan 15 '25 22:01 mgilham

In the mean time, here is my workaround: https://github.com/scolastico-dev/s.Containers/blob/main/src/signoz-auth-proxy/README.md

scolastico avatar Feb 28 '25 11:02 scolastico

@dblundell sorry I didn't see your reply until now. I don't check my GitHub notifications often...

Here is the diff for what I did, it may help @mgilham if he wants to integrate any of it into his PR

feat__Add_trusted_header_SSO_auth.txt

dakriy avatar Jun 10 '25 17:06 dakriy

Here is an updated version for 0.87.0

task__header_auth.patch.txt

dakriy avatar Jun 25 '25 00:06 dakriy

Here is an updated version for 0.101.0

task__header_auth.patch

dakriy avatar Nov 19 '25 20:11 dakriy