User Authentication

By default, InterDiode authenticates users with passwords, but user authentication can be delegated to the reverse proxy, allowing single sign-on solutions like Keycloak, Authentik, Shibboleth, or Kerberos/GSSAPI.

Attention

The first created user is granted administrator rights.

Password Authentication

Password authentication is the default choice.

interdiode.env
ALLOW_LOCAL_USERS=true

Moreover, the first created user is granted administrator rights.

With ALLOW_USER_CREATION=true, users can create their own account. Otherwise, only administrators can create accounts for other users:

interdiode.env
ALLOW_USER_CREATION=true

Lorsque les utilisateurs sont autorisés à créer leur propre compte, il est possible de demander une validation aux administrateurs.

interdiode.env
REQUIRE_NEW_USER_VALIDATION=true

When password authentication is enabled, HTTP basic authentication is also enabled by default, but you can easily disable it:

interdiode.env
USE_HTTP_BASIC_AUTH=false

Finally, you can change any password in any of the InterDiode containers with the following command:

interdiode-ctl changepassword <username>

Token Authentication

To access cloned repositories that are kept private, users can define tokens (or API keys). This authentication method, enabled by default, is limited to mirrored API (like downloading packages) and does not allow to edit sources or user passwords. The user can create tokens with limited privileges or limited to a few IP addresses. Each token is tied to a source and cannot be used with another source.

interdiode.env
USE_AUTHORIZATION_TOKEN=false

Reverse-proxy Authentication

You reverse proxy (like Apache or Nginx) can authenticate users and put the username in a HTTP header (like REMOTE-USER). Reverse proxies can handle many authentication methods, like OIDC, Kerberos/GSSAPI or LDAP.

The user can be automatically created in InterDiode on its first connection (you can even automatically add him to several groups) if ALLOW_USER_CREATION=true. However, the account can be disabled by default and only enabled after validation by an administrator when REQUIRE_NEW_USER_VALIDATION=true.

Some pages should remain anonymously accessible in read-only mode, for example for command-line tools such as package managers. You should therefore not require authentication on all pages, but only on /v1/login/ (or on /v1/login/ and / to provide transparent authentication).

interdiode.env
ALLOW_USER_CREATION=true
# Allow new users to create their account themselves (if ALLOW_LOCAL_USERS=true), 
# or the automatic creation of missing users when users are authenticated by the reverse proxy.
# Values: 'true', 'false'.
HTTP_REMOTE_GROUPS_HEADER=X-Remote-Group
# Set the list of groups in this HTTP header. The header value can be a JSON-serialized list, or a comma-separated list.
# Leave empty to disable automatic group assignment. 
# Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.
# Example: 'X-Forwarded-Groups'.
HTTP_REMOTE_USER_HEADER=X-Remote-User
# Set it if the reverse-proxy authenticates users (single sign-on). 
# Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.
# Example: 'X-Remote-User'.
REMOTE_USER_DEFAULT_GROUPS=Users
# Comma-separated list of group names to add to new users that are authenticated by HTTP header, when HTTP_REMOTE_GROUPS_HEADER setting is not used.
# Example: 'Users,New users'.

Note

The reverse-proxy header name must not start with HTTP_ and must not contain underscores, only dashes.

You can disable the local password database if users should be only authenticated by the reverse proxy:

interdiode.env
ALLOW_LOCAL_USERS=false

Most attributes of the user can be provided by the reverse proxy, such as the full name, email address, or group membership, which allows you to manage everything in the reverse proxy and not have to worry about it in InterDiode. You should also disable the management of these attributes in InterDiode to avoid conflicts between the reverse proxy and InterDiode:

interdiode.env
ALLOW_USER_CREATION=true
HTTP_REMOTE_EMAIL_HEADER=X-Remote-Email
HTTP_REMOTE_FIRST_NAME_HEADER=X-Remote-First-Name
HTTP_REMOTE_GROUPS_HEADER=X-Remote-Groups
HTTP_REMOTE_LAST_NAME_HEADER=X-Remote-Last-Name
HTTP_REMOTE_USER_HEADER=X-Remote-User
REQUIRE_NEW_USER_VALIDATION=false
USER_DISABLED_ATTRIBUTES=groups,first_name,last_name,email

Manually add another Superuser

If you want to create another administrator in any of the InterDiode containers, you can use the command line (instead of using the web interface to promote a regular user):

interdiode-ctl createsuperuser