docspell icon indicating copy to clipboard operation
docspell copied to clipboard

Published 20 hours ago verified publisher icon eikek

Feature Request: Token authentication via JWT and JWKS

Open programmerq opened this issue 1 year ago • 2 comments

I am using an authenticating proxy that has the ability to inject an HTTP header with a JWT.

I'd like to put Docspell behind this.

While oidc makes use of JWT tokens, I oidc is its own thing.

Essentially, Docspell would need to have a few configuration options:

  • URL endpoint for the java web key set (jwks). Usually this would be something like https://mydomain.com/.well-known/jwks.json
  • Configurable place to look for the JWT header. This could be an arbitrary MyGreatJWT: <token> or even Authorization: Bearer: <token>.
  • perhaps a configurable audience (aud).

The JWT would include information about the authenticated user. Usually it has at least a username, but different JWT providers can provide different things. If the user doesn't already exist, it would need to be created. The JWT can have information like groups and roles, so that could inform what collection should be used.

For reference, I am using Teleport app access. I work for Teleport, and I'm trying to put Teleport and Docspell into my homelab.

programmerq avatar May 09 '23 01:05 programmerq

I actually tried to reverse engineer the Docspell auth token signature and implement a middleware that could sit between the authenticating proxy and Docspell. I couldn't get it working (likely due to some oversight on my part with how the bytevector gets loaded into memory for doing signatures)

programmerq avatar May 09 '23 01:05 programmerq

Hi @programmerq I'm very sorry for the late reply, this got forgotten buried in the stack of notifications.

I'm afraid I'm not very knowledgeable to give a good comment on the JWKS thing in terms of how large the effort would be. I think it shouldn't be very hard. The machinery to create users is already there and used for the OIDC auth. What is then left is to provide the jwks data somehow and a auth middleware to do the stuff. To be honest, while I'm interested in this in general, it's not very much currently, because I'm not using it at all and I just don't have a lot of time. So this is not very likely to be implemented by myself any time soon. But I'm happy to help with PR efforts.

If you need more information about the current auth token to implement your middleware, I can point you to teh code that does the signature. You can also reach out on matrix/gitter for some chat about it.

eikek avatar Aug 08 '23 08:08 eikek