oxidized-web icon indicating copy to clipboard operation
oxidized-web copied to clipboard
verified publisher icon ytti

Add User Authentification to oxidized-web

Open robertcheramy opened this issue 5 months ago • 5 comments

I want to add a user authentication to Oxidized-web. It should:

  • Be Optional
  • Use JSON Web Token
  • Use Multiple Authentication Backends
    • Local File Backend
    • LDAP Backend

robertcheramy avatar Jul 09 '25 05:07 robertcheramy

Do consider WebAuthn if at all reasonable.

Why I wanted originally this to be handled by front-end is because I don't think there is much hope of creating solution that isn't bypassable in numerous ways and then it becomes Oxidized responsibility, instead of the front-end.

ytti avatar Jul 09 '25 06:07 ytti

Just wanted to provide background as to why this may be useful - I am running oxidized in k8s environment and have a standard reverse proxy (ingress) set up that provides SSL. It can provide authentication as well, but it becomes a custom ingress that in my environment makes things messier. It is much easier to handle authentication in the application and then only handle SSL on the ingress controller side.

eoprede avatar Aug 10 '25 02:08 eoprede

Just wanted to provide background as to why this may be useful - I am running oxidized in k8s environment and have a standard reverse proxy (ingress) set up that provides SSL. It can provide authentication as well, but it becomes a custom ingress that in my environment makes things messier. It is much easier to handle authentication in the application and then only handle SSL on the ingress controller side.

I'm not sure that rationale holds. Even if you have proxy already, which I can understand completely makes little sense to tinker for application level stuff for you. You still can include in your Oxidized application another mature HTTP proxy, like lighttpd, nginx or caddy.

I am not going to reject adding user authentication to Oxidized, but it is definitely going to be security problem. It absolutely will contain bugs that allow bypassing it, and it will be our responsibility. I don't think we can compete with any of the mentioned projects in security and they already aren't great.

But I guess no one really cares about security, this is about convenience, you get user auth, against your AD (via LDAP backend) and it all comes out of single source, instead of maintaining additional proxy. And that I agree is legitimate argument.

ytti avatar Aug 10 '25 06:08 ytti

This issue is stale because it has been open 90 days with no activity.

github-actions[bot] avatar Nov 09 '25 02:11 github-actions[bot]

Note - adding Authentification could break some features like reload source in https://github.com/ytti/oxidized/blob/master/extra/auto-reload-config.runit

robertcheramy avatar Dec 03 '25 06:12 robertcheramy