User Authentication
By default, InterDiode authenticates users with passwords, but user authentication can be delegated to the reverse proxy, allowing single sign-on solutions like Keycloak, Authentik, Shibboleth, or Kerberos/GSSAPI.
Attention
The first created user is granted administrator rights.
Password Authentication
Password authentication is the default choice.
ALLOW_LOCAL_USERS=true
Moreover, the first created user is granted administrator rights.
With ALLOW_USER_CREATION=true, users can create their own account. Otherwise, only administrators can create accounts for other users:
ALLOW_USER_CREATION=true
Lorsque les utilisateurs sont autorisés à créer leur propre compte, il est possible de demander une validation aux administrateurs.
REQUIRE_NEW_USER_VALIDATION=true
When password authentication is enabled, HTTP basic authentication is also enabled by default, but you can easily disable it:
USE_HTTP_BASIC_AUTH=false
Finally, you can change any password in any of the InterDiode containers with the following command:
interdiode-ctl changepassword <username>
Token Authentication
To access cloned repositories that are kept private, users can define tokens (or API keys). This authentication method, enabled by default, is limited to mirrored API (like downloading packages) and does not allow to edit sources or user passwords. The user can create tokens with limited privileges or limited to a few IP addresses. Each token is tied to a source and cannot be used with another source.
USE_AUTHORIZATION_TOKEN=false
Reverse-proxy Authentication
You reverse proxy (like Apache or Nginx) can authenticate users and put the username in a HTTP header (like REMOTE-USER).
Reverse proxies can handle many authentication methods, like OIDC, Kerberos/GSSAPI or LDAP.
The user can be automatically created in InterDiode on its first connection (you can even automatically add him to several groups) if ALLOW_USER_CREATION=true. However, the account can be disabled by default and only enabled after validation by an administrator when REQUIRE_NEW_USER_VALIDATION=true.
Some pages should remain anonymously accessible in read-only mode, for example for command-line tools such as package managers.
You should therefore not require authentication on all pages, but only on /v1/login/ (or on /v1/login/ and / to provide transparent authentication).
ALLOW_USER_CREATION=true
# Allow new users to create their account themselves (if ALLOW_LOCAL_USERS=true),
# or the automatic creation of missing users when users are authenticated by the reverse proxy.
# Values: 'true', 'false'.
HTTP_REMOTE_GROUPS_HEADER=X-Remote-Group
# Set the list of groups in this HTTP header. The header value can be a JSON-serialized list, or a comma-separated list.
# Leave empty to disable automatic group assignment.
# Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.
# Example: 'X-Forwarded-Groups'.
HTTP_REMOTE_USER_HEADER=X-Remote-User
# Set it if the reverse-proxy authenticates users (single sign-on).
# Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.
# Example: 'X-Remote-User'.
REMOTE_USER_DEFAULT_GROUPS=Users
# Comma-separated list of group names to add to new users that are authenticated by HTTP header, when HTTP_REMOTE_GROUPS_HEADER setting is not used.
# Example: 'Users,New users'.
Note
The reverse-proxy header name must not start with HTTP_ and must not contain underscores, only dashes.
You can disable the local password database if users should be only authenticated by the reverse proxy:
ALLOW_LOCAL_USERS=false
Most attributes of the user can be provided by the reverse proxy, such as the full name, email address, or group membership, which allows you to manage everything in the reverse proxy and not have to worry about it in InterDiode. You should also disable the management of these attributes in InterDiode to avoid conflicts between the reverse proxy and InterDiode:
ALLOW_USER_CREATION=true
HTTP_REMOTE_EMAIL_HEADER=X-Remote-Email
HTTP_REMOTE_FIRST_NAME_HEADER=X-Remote-First-Name
HTTP_REMOTE_GROUPS_HEADER=X-Remote-Groups
HTTP_REMOTE_LAST_NAME_HEADER=X-Remote-Last-Name
HTTP_REMOTE_USER_HEADER=X-Remote-User
REQUIRE_NEW_USER_VALIDATION=false
USER_DISABLED_ATTRIBUTES=groups,first_name,last_name,email
Manually add another Superuser
If you want to create another administrator in any of the InterDiode containers, you can use the command line (instead of using the web interface to promote a regular user):
interdiode-ctl createsuperuser