mkdocs-encryptcontent-plugin icon indicating copy to clipboard operation
mkdocs-encryptcontent-plugin copied to clipboard
verified publisher icon unverbuggt

SSO Authentication

Open PathosV opened this issue 3 months ago • 3 comments

Would it be possible to decrypt after checking for Single Sign-on (SSO) credentials? I'd love to have authentication based on my enterprise login, with an added option for an access control list of approved users.

PathosV avatar Oct 08 '25 18:10 PathosV

What kind of credentials would that be, and how can the webpage access these?

Mkdocs generates a static webpage with no backend, and the encryptcontent plugin generates a keystore that can be decrypted with valid credentials inside each generated page.

I once had the idea of putting the keystore in a server side script to allow additional protection against brute forcing. In this case, the script could interact with some kind of SSO service to unlock on valid credentials. The main problem that I saw with a server side keystore is, that you have to trust your webspace provider or else he could fish all credentials that are tried.

I also don't have much knowledge on how these SSO Services work. But I think I remember a case when Microsoft somehow leaked a master signing key for its services, which then was used to gain access to various user accounts: link

If you rely on such a service then you'd really have to trust your service provider (which you don't need to for this plugin), so might as well use a CMS and hide the content behind a login.

unverbuggt avatar Oct 11 '25 17:10 unverbuggt

I sadly don't know enough on the exact ways SSO works, I had hoped a session cookie from the login could be used in place of a key for a given user. I'm guessing thats not the case and the SSO service needs to be pinged with a request. As for any security concerns with the provider, we already rely on them for other sites to be secured.

PathosV avatar Oct 13 '25 03:10 PathosV

The procedure is (from looking into this briefly):

  1. You submit the credentials to some SSO provider
  2. If the credentials are valid, you receive a token
  3. This token consists of a signed payload
  4. The web service can then check the signature and grant access (according to the payload) if the signature is valid

But the encryptcontent plugin will encrypt the pages with a static encryption key, which can be found with valid credentials. So the SSO Service would need to send the encryption key (or send the credentials) as payload in the token. No need to check any signatures.

The whole point of using a SSO service is that you don't want to check the credentials yourself and let someone else check them for you, but in our case the SSO would need to send the credentials or keys back to us, This makes no sense.

Better use some kind of Wiki or CMS (there might be some that generate from Markdown like MkDocs) that provide an interface for SSO providers.

unverbuggt avatar Oct 13 '25 16:10 unverbuggt