@imcatzilla/ghost-sso-header
v1.0.0
Published
Header SSO Adapter for Ghost
Downloads
4
Readme
Warning
Before using this adapter please carefully read Caveats section below
ghost-sso-header
Header SSO Adapter for Ghost
Prerequisites
This adapter is written for Ghost version 5.75.0, compatibility with other versions is unknown
Your load balancer (reverse proxy, API gateway, etc) needs to add request header with user email or user object as JSON string
This can be done with:
- Hydrate Headers plugin for Traefik
- cookie_session authenticator + header mutator in Ory Oathkeeper
- Any other solutions by your choice
Installation
Linux
- Download package via npm:
npm install @imcatzilla/ghost-sso-header
- Move package to
content/adapters/sso
directory:
mv node_modules/@imcatzilla/ghost-sso-header/ /path-to-ghost/content/adapters/sso/ghost-sso-header/
- Adjust Ghost configuration with following:
"adapters": {
"sso": {
"active": "ghost-sso-header",
"ghost-sso-header": {
"header": "X-User",
"jsonpath": "$.email"
}
}
}
or use environment variables as described in Ghost Configuration section
Docker
Follow steps 1 and 3 from Linux section, and mount adapter as volume in your docker-compose.yml
:
services:
ghost:
#...
volumes:
- ./node_modules/@imcatzilla/ghost-sso-header:/var/lib/ghost/content/adapters/sso/ghost-sso-header
you may also build custom docker image and include adapter inside it
Configuration
| Key | Type | Default | Description |
| :-- | :-- | :-- | :-- |
| header
| string | X-User
| Header with user email. Header value must contain email as string if jsonpath
is omitted |
| jsonpath
| string | | JSONPath to user email if header value is json string |
All options are optional
Caveats
- Malicious users may set user header manually. Make sure that this header get stripped by your load balancer or reverse proxy. In case you are using Traefik, you may use headers middleware for this
- This adapter does not automatically create accounts in Ghost. The account must exist in Ghost database to be able to login with SSO
- Ghost uses separate session, so after you logout in your identity provider, you still be authenticated in Ghost
- Logout in Ghost will not work while identity provider session is active
- Direct login with Ghost email/password still work when no identity provider session is active
- Use this adapter at your own risk, and do not consider it "production-ready". I wrote it for my personal projects, so no warranties at all