[MGNLSSO-23] Only run SSO authentication on selected paths Created: 09/Jun/20  Updated: 03/Oct/23  Resolved: 17/Jun/20

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: 1.0

Type: Task Priority: Neutral
Reporter: Maxime Michel Assignee: Maxime Michel
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
causality
is causing MGNLSSO-35 Allow Magnolia to be used as pac4j mi... Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Date of First Response:
Epic Link: Magnolia SSO w/ pac4j

 Description   

Discussions in SRE-1250 have led to the following conclusions:

  • pac4j needs to be aligned with Magnolia's security
    • for instance, in Magnolia default's security, a public instance allows anonymous access. pac4j is not aware of that
    • or if a Magnolia public website protects a member area, pac4j will not pick up on it. (This use case is not yet supported but will one day.)
  • the way it is done now, pac4j matchers are created on a case-by-case basis to mimic Magnolia's security
  • it should however be possible to dynamically resolve what security Magnolia would apply to a requested path, and to allow/disallow anonymous based on that

This ticket's initial intent was to make pac4j copy Magnolia's security in the 99% of URLs where pac4j doesn't need to be in front of Magnolia. However, only enabling pac4j on desired target URLs such as Admincentral solves the problem with a better approach, and less code on top of that.



 Comments   
Comment by Espen Jervidalo [ 11/Jun/20 ]

https://git.magnolia-cms.com/projects/OD/repos/cloud-helm-charts/pull-requests/10/overview?commentId=62289

Here's a similar issue related to the liveness and readiness module.

Comment by Espen Jervidalo [ 11/Jun/20 ]

https://git.magnolia-cms.com/projects/INTERNAL/repos/magnolia-sso/pull-requests/5/overview?commentId=62114

Comment by Maxime Michel [ 12/Jun/20 ]

Much easier than doing this would be to enable pac4j solely for Admincentral, no?

Generated at Mon Feb 12 10:50:22 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.