Skip to content

RFE(charts): allow for passthru authn/z from an upstream provider (like GCP's IAP) #31

New issue
New issue
Open
Open
RFE(charts): allow for passthru authn/z from an upstream provider (like GCP's IAP)#31
@NeilHanlon

Description

@NeilHanlon
NeilHanlon
opened on Jun 24, 2024

Summary

Enhance Mothership to support passthru authentication and authorization from upstream providers, such as Google Cloud Platform’s Identity-Aware Proxy (IAP).

Description

Currently, Mothership handles its own authentication and authorization mechanisms. This feature request proposes adding the capability for Mothership to delegate authentication and authorization to upstream providers. For instance, integrating with GCP’s IAP would allow Mothership to leverage existing authentication mechanisms and user roles defined in GCP, thereby simplifying user management and enhancing security compliance.

Use Cases

  • Unified Authentication: Users can authenticate using their existing GCP credentials, avoiding the need to manage multiple sets of credentials.
  • Centralized User Management: User roles and permissions can be managed centrally within the upstream provider, ensuring consistent access control policies across different services.
  • Enhanced Security: By delegating authentication to a provider like GCP’s IAP, Mothership can take advantage of advanced security features offered by the provider.

Implementation Details

  1. Integration with Upstream Providers:

    • Provide configuration options to enable passthru authentication from supported providers.
    • Implement OAuth/OpenID Connect protocols to handle the authentication flow.

  2. Session Management:

    • Maintain user sessions based on the tokens received from the upstream provider.
    • Implement token refresh mechanisms to ensure continuous access.

  3. Authorization Handling:

    • Extract user roles and permissions from the upstream provider and apply them within Mothership.
    • Ensure that fine-grained access control is maintained according to the upstream provider’s definitions.

Benefits

  • Simplifies User Onboarding: Streamlines the process of onboarding users by leveraging existing authentication systems.
  • Reduces Maintenance Overhead: Decreases the need to handle user authentication and authorization within Mothership.
  • Improves Security Posture: Enhances overall security by utilizing robust authentication mechanisms from well-established providers.

Dependencies

  • Dependency on OAuth/OpenID Connect libraries for implementing authentication flows.
  • Configuration adjustments to allow administrators to specify upstream provider details.

By implementing this feature, Mothership will become more flexible and secure by allowing passthru authentication/authorization from trusted upstream providers like GCP’s IAP.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions