Form public sharing not working on SSO (self-hosted)

Tomas_Westerholm · August 21, 2024, 11:38am

Hi, On Grist cloud the Form link can be shared to anyone freely for unrestricted data feed-in.

On our self-hosted AWS package we have SSO activated. Shared Form link seems to ask SSO credentials. Could it be that there is “no coding” existing to handle this situation so that the shared form link could bypass the SSO? Could this be a feature to be developed?

Best,
Tomas

paul-grist · August 21, 2024, 12:04pm

If this is this AWS package:

Then it is using “Grist Omnibus”:

A known weakness of omnibus is its handling of links that could be public:

I think, for forms specifically, they may have a URL prefix that could be special-cased in the reverse proxy used by omnibus, to avoid routing form requests through SSO:

github.com

gristlabs/grist-omnibus/blob/main/traefik.yaml

http:
  services:
    grist:
      loadBalancer:
        servers:
          - url: 'http://127.0.0.1:{{ env "GRIST_PORT" }}'
    dex:
      loadBalancer:
        servers:
          - url: 'http://127.0.0.1:{{ env "DEX_PORT" }}'
    tfa:
      loadBalancer:
        servers:
          - url: 'http://127.0.0.1:{{ env "TFA_PORT" }}'
    whoami:
      loadBalancer:
        servers:
          - url: 'http://127.0.0.1:{{ env "WHOAMI_PORT" }}'

  middlewares:

This file has been truncated. show original

What do you think @georgegevoian ?

In general, it would be better if Omnibus were updated, or an alternative provided, that used OIDC or SAML rather than forwarded auth, so Grist could be left to judge whether auth is needed or not for a particular request.

georgegevoian · August 21, 2024, 7:42pm

Yeah, we could add an exception for routes with a /forms prefix. I think the only thing under it today is the GET for published forms, so it should be safe.

Agree that longer term, it’d be good to explore alternative authentication mechanisms for Omnibus.

George