memos icon indicating copy to clipboard operation
memos copied to clipboard

Published 20 hours ago verified publisher icon usememos

Force login using SSO

Open HanadaLee opened this issue 11 months ago • 1 comments

Is your feature request related to a problem?

I use the OIDC provider to provide authentication services for the memo, but every time I log in, I will still be redirected to the login page of the memos itself.

Describe the solution you'd like

  1. Provide a switch in the settings to specify an SSO provider as the default login provider, and directly initiate OIDC authentication instead of popping up the built-in login interface when login is required.
  2. Provide a url parameter sso for /auth. When its value is false, it is allowed to use the default interface to log in (used for troubleshooting when the third-party provider fails to log in due to an exception).

Additional context

Currently, I complete the jump by inserting a piece of js in the login interface, identifying the login interface with a frequency of 1 second, and forcibly triggering SSO login. Although this method fulfills my needs to a certain extent, the implementation method is very disgusting, and before the jump, the user can still see the built-in login interface for about 1-3 seconds.

HanadaLee avatar Jul 12 '23 14:07 HanadaLee

I'd also +1 support for this as a built-in feature. As a workaround similar to the original poster, here is the script that I use in additional scripts to force an immediate redirect from initial load of any page to my SSO login. This works by making a call to the Memos API user endpoint to see if there's a user logged in, and if not then redirect.

(async function() {
  // Remember to replace this authentik style placeholder URL with your own.
  const LOGIN_URL = 'https://AUTHENTIK_BASE_URL/application/o/authorize/?client_id=MEMOS_CLIENT_ID&redirect_uri=https://MEMOS_BASE_URL/auth/callback&state=auth.signin.Authentik-1&response_type=code&scope=openid profile email'

  // Prevent a redirect loop by not checking login state from
  // login callback path.
  if (window.location.pathname !== "/auth/callback") {
    // Call Memos API to determine if the user is logged in.
    // If logged in, HTTP status is 200, if logged out 401.
    const status = (await fetch("/api/v1/user/me")).status;
    if (status === 401) {
      window.location = LOGIN_URL;
    }
  }
})();

I use Authentik as my SSO provider, so LOGIN_URL here will vary based on what your provider is. To get the exact URL, I recommend opening up an incognito window, opening developer tools, selecting the network tab and enabling "persist logs" from the settings menu, and then clicking the "Login with <YOUR PROVIDER>" link from Memos. The first URL to your auth provider in the network tab will be the one you want to use.

justjohn avatar Nov 29 '23 20:11 justjohn

Agree this would be very useful feature for anyone who's gone through the trouble of setting up a SSO provider

@justjohn can confirm your workaround functions with other auth providers, and thank you so much for including the extra details of how to find that URL lol would have never been able to do that myself

K-J-VV avatar Jan 15 '24 15:01 K-J-VV

Disable user signup + Disable password login might help.

boojack avatar Jan 18 '24 07:01 boojack

@K-J-VV I expect my workaround will work with any OIDC provider, although I can't speak directly to anything besides Authentik, since that's what I use. The protocol is a standard though, so they all operate about the same. The main difference should just be the login URL that you redirect to since it will differ between providers.

justjohn avatar Jan 18 '24 21:01 justjohn