Add a Discord provider (based off of PR 2113) #2741
Conversation
|
Would be great to have this allow you to filter by server id and server roles rather than just guilds as that's not something available to all servers while every server has unique ids and roles. |
This initial commit is based off of the PR found at oauth2-proxy#2113 The goal is to add the missing tests and docs to merge it into the original repo.
panickeraj
force-pushed
the
discord-provider
branch
from
257547f to
a788dcd
Compare
I'll give it a try! Looks like the role IDs are unique per guild so it seems it'll be simple enough to add an option to specify role ids and just append guild roles to the groups list in the session and check for both. |
|
Looks like adding role information isn't as trivial as I thought it would be, its really easy to get rate limited by the discord api if you try to pull all the roles that a user has for each server. I'm thinking if you want to specify roles, it'll probably have to be only for a single guild at a time to prevent that rate limiting. For now I think thats out of the scope of this PR but could be added later. |
|
Sorry been away for a few days, I was imaging this is the same way that the outline package works where it'll simply auth y/n for a user connecting, then optionally check if the person is in a specific server / role. Tho honestly if the request limits are that narrow the utility may be limitted. One thing to note is the 'guild' nomenclature only really applies to the API and a weird limitted access feature. For documentation purposes it may be better to label them simply as servers. |
|
@panickeraj it would have been the courteous way to use the original commits of the original author and base your new branch on it :) |
Add a discord provider that supports authentication based on Discord guilds
Description
This is a continuation of the PR at #2113. That change hasn't been updated in a while so I thought I'd address the comments as well as add the documentation and some tests. I also added the legacy option required to pass the discord guild ids.
Motivation and Context
The goal was to allow members of my discord server to access some resources that I host based on their membership to the server. This honestly seemed a lot easier than setting up a service like authentik or authelia, both of which don't support discord as far as I'm aware.
Note the functionality implemented only checks the guild membership and doesn't check email or username, that could be added in the future but I don't think it really fits the intended use case as the implication to me is that if you're using discord to authenticate, you want the scope to be on a per-guild bases usually.
How Has This Been Tested?
I built the resulting image using the docker and am running it with docker using nginx proxy manager as my reverse proxy.
I've tested that everything is working as expected and authentication does work successfully. Specifically if the appropriate guild id is provided then authentication works but if there are no provided guild ids or if the user isn't a member of any of the provided guilds then it fails.
I also did manually double check that Discord allows multiple guilds to have the same name and that you could bypass the auth by creating a new server with the same name as the server that you are authenticating against if using name based authentication.
Checklist: