Hi, On Grist cloud the Form link can be shared to anyone freely for unrestricted data feed-in.
On our self-hosted AWS package we have SSO activated. Shared Form link seems to ask SSO credentials. Could it be that there is “no coding” existing to handle this situation so that the shared form link could bypass the SSO? Could this be a feature to be developed?
Best,
Tomas
If this is this AWS package:
Then it is using “Grist Omnibus”:
A known weakness of omnibus is its handling of links that could be public:
I think, for forms specifically, they may have a URL prefix that could be special-cased in the reverse proxy used by omnibus, to avoid routing form requests through SSO:
What do you think @georgegevoian ?
In general, it would be better if Omnibus were updated, or an alternative provided, that used OIDC or SAML rather than forwarded auth, so Grist could be left to judge whether auth is needed or not for a particular request.
Yeah, we could add an exception for routes with a /forms prefix. I think the only thing under it today is the GET for published forms, so it should be safe.
Agree that longer term, it’d be good to explore alternative authentication mechanisms for Omnibus.
George
Hi @paul-grist .
I’m using grist-core and it seems to exhibit the same behaviour: forms are not accessible without (SSO) login.
Is there no capability in Grist to publish forms for public (unauthenticated) access?
It should be possible @Shrey, if there isn’t some interfering setting such as GRIST_FORCE_LOGIN=true or an auth mechanism that wraps Grist completely. This thread is about a situation where forwarded-header auth is used, which doesn’t give Grist a chance to check whether auth is actually needed or not for a particular URL. But if you’re not in that situation, it should be doable.