New self-hoster : authentication?

I haven’t quite found an answer for this in the documentation nor in the community.

Question: does Grist support basic username/password authentication? I have installed Omnibus (behind a Caddy proxy server) and I’m simply able to start using it without needing to log in. When I log out and click log in, I’m simply logged back in again. Full access.

I read documentation about SAML and OIDC but please tell me I don’t need to go through all of that complexity for a very small team setup. If so… well, my feedback is that there is simply too large of a jump from “no authentication” to “enterprise authentication”.

Docker compose:

  grist:
    image: gristlabs/grist
    environment:
      APP_DOC_URL: https://mysite.org
      APP_HOME_URL: https://mysite.org
      COOKIE_MAX_AGE: 86400000
      GRIST_DEFAULT_EMAIL: notme@fake.com
      GRIST_FORCE_LOGIN: true
      GRIST_HIDE_UI_ELEMENTS: billing,sendToDrive # copied from @vviers
      GRIST_SESSION_SECRET: invent-a-secret-here
      GRIST_SUPPORT_ANON: false
      LOGOUT_REDIRECT: https://mysite.org/signed-out
      TZ: Americas/Los_Angeles
    ports:
      - "8484:8484"
    restart: "always"
    hostname: "grist"
    volumes:
      - /home/foo/grist/persist:/persist

2 Likes

How do I set up authentication?” explains that authentication options for self-hosters are indeed either custom SAML/OIDC, or the GristConnect protocol for Enterprise:

For our SaaS, we use a custom authentication system based around AWS Cognito. Currently, we have no plans to release that as part of Core or Enterprise.

I’m not looking forward to tackling OIDC either. Would be nice if basic authentication was baked in. :face_with_spiral_eyes:

my feedback is that there is simply too large of a jump from “no authentication” to “enterprise authentication”.

Couldn’t have put it better myself.

I’ve been struggling to find some way to make it happen without having to install/subscribe (even if they are free) to google/okta/keycloak/etc for what is really a semi-trivial project (planning a family reunion with my siblings and cousins). Plain userid/password should be plenty good enough but it’s not possible it seems.