diff --git a/.env.example b/.env.example index 952f51dd31..b0eab2c541 100644 --- a/.env.example +++ b/.env.example @@ -182,12 +182,23 @@ LOGIN_PROVIDER=eloquent # It's also possible to change the way users are authenticated. You could use Authelia for example. # Authentication via the REMOTE_USER header is supported. Change the value below to "remote_user_guard". # +# This will also allow Windows SSO. +# # If you do this please read the documentation for instructions and warnings: # https://docs.firefly-iii.org/advanced-installation/authentication # # This function is available in Firefly III v5.3.0 and higher. AUTHENTICATION_GUARD=web +# +# By default, Firefly III uses the 'REMOTE_USER' header as per RFC 3875. +# You can also use another header, like AUTH_USER when using Windows SSO. +# Some systems use X-Auth headers. In that case, use HTTP_X_AUTH_USERNAME or HTTP_X_AUTH_EMAIL +# +# Firefly III won't be able to send emails when the header you use isn't an email address. +# +AUTHENTICATION_GUARD_HEADER=REMOTE_USER + # # Likewise, it's impossible to log out users who's authentication is handled by an external system. # Enter a custom URL here that will force a logout (your authentication provider can tell you). @@ -236,12 +247,6 @@ ADLDAP_LOGIN_FALLBACK=false ADLDAP_DISCOVER_FIELD=distinguishedname ADLDAP_AUTH_FIELD=distinguishedname -# Will allow SSO if your server provides an AUTH_USER field. -# You can set the following variables from a file by appending them with _FILE: -WINDOWS_SSO_ENABLED=false -WINDOWS_SSO_DISCOVER=samaccountname -WINDOWS_SSO_KEY=AUTH_USER - # field to sync as local username. # You can set the following variable from a file by appending it with _FILE: ADLDAP_SYNC_FIELD=userprincipalname diff --git a/app/Support/Authentication/RemoteUserGuard.php b/app/Support/Authentication/RemoteUserGuard.php index baf2d94f73..d93b98bcfa 100644 --- a/app/Support/Authentication/RemoteUserGuard.php +++ b/app/Support/Authentication/RemoteUserGuard.php @@ -69,16 +69,13 @@ class RemoteUserGuard implements Guard return; } // Get the user identifier from $_SERVER - $userID = request()->server('REMOTE_USER') ?? null; + $header = config('auth.guard_header', 'REMOTE_USER'); + $userID = request()->server($header) ?? null; if (null === $userID) { - Log::debug('No user in REMOTE_USER.'); - throw new FireflyException('The REMOTE_USER header was unexpectedly empty.'); + Log::error(sprintf('No user in header "%s".', $header)); + throw new FireflyException('The guard header was unexpectedly empty. See the logs.'); } - - // do some basic debugging here: - // $userID = 'test@firefly'; - /** @var User $user */ $user = $this->provider->retrieveById($userID); diff --git a/config/auth.php b/config/auth.php index 189babdc0a..1b49d38409 100644 --- a/config/auth.php +++ b/config/auth.php @@ -33,10 +33,11 @@ return [ | */ - 'defaults' => [ + 'defaults' => [ 'guard' => envNonEmpty('AUTHENTICATION_GUARD', 'web'), 'passwords' => 'users', ], + 'guard_header' => envNonEmpty('AUTHENTICATION_GUARD_HEADER', 'REMOTE_USER'), /* |-------------------------------------------------------------------------- diff --git a/config/ldap_auth.php b/config/ldap_auth.php index 2f395c809b..f661236d38 100644 --- a/config/ldap_auth.php +++ b/config/ldap_auth.php @@ -245,9 +245,9 @@ return [ */ 'windows' => [ - 'enabled' => envNonEmpty('WINDOWS_SSO_ENABLED', false), - 'locate_users_by' => envNonEmpty('WINDOWS_SSO_DISCOVER', 'samaccountname'), - 'server_key' => envNonEmpty('WINDOWS_SSO_KEY', 'AUTH_USER'), + 'enabled' => false, + 'locate_users_by' => 'samaccountname', + 'server_key' => 'AUTH_USER', ], ],