@imcatzilla/ghost-sso-header NPM

Warning
Before using this adapter please carefully read Caveats section below

ghost-sso-header

Header SSO Adapter for Ghost

Prerequisites

This adapter is written for Ghost version 5.75.0, compatibility with other versions is unknown

Your load balancer (reverse proxy, API gateway, etc) needs to add request header with user email or user object as JSON string

This can be done with:

Hydrate Headers plugin for Traefik
cookie_session authenticator + header mutator in Ory Oathkeeper
Any other solutions by your choice

Installation

Linux

Download package via npm:

npm install @imcatzilla/ghost-sso-header

Move package to content/adapters/sso directory:

mv node_modules/@imcatzilla/ghost-sso-header/ /path-to-ghost/content/adapters/sso/ghost-sso-header/

Adjust Ghost configuration with following:

"adapters": {
    "sso": {
        "active": "ghost-sso-header",
        "ghost-sso-header": {
            "header": "X-User",
            "jsonpath": "$.email"
        }
    }
}

or use environment variables as described in Ghost Configuration section

Docker

Follow steps 1 and 3 from Linux section, and mount adapter as volume in your docker-compose.yml:

services:
  ghost:
    #...
    volumes:
      - ./node_modules/@imcatzilla/ghost-sso-header:/var/lib/ghost/content/adapters/sso/ghost-sso-header

you may also build custom docker image and include adapter inside it

Configuration

Key	Type	Default	Description
`header`	string	`X-User`	Header with user email. Header value must contain email as string if `jsonpath` is omitted
`jsonpath`	string		JSONPath to user email if header value is json string

All options are optional

Caveats

Malicious users may set user header manually. Make sure that this header get stripped by your load balancer or reverse proxy. In case you are using Traefik, you may use headers middleware for this
This adapter does not automatically create accounts in Ghost. The account must exist in Ghost database to be able to login with SSO
Ghost uses separate session, so after you logout in your identity provider, you still be authenticated in Ghost
Logout in Ghost will not work while identity provider session is active
Direct login with Ghost email/password still work when no identity provider session is active
Use this adapter at your own risk, and do not consider it "production-ready". I wrote it for my personal projects, so no warranties at all

ghost sso

@everything-registry/sub-chunk-458

1.0.0

5 months ago

0.0.2

1 year ago

0.0.1

1 year ago