SSO Mounting not possible?

[wuast94]

I setup this awesome project with SSO with authelia and works great so far.
the only problem with that is that some functions dont work anymore or requirue workarounds of course.
to access everything programmaticly i just set for specific IPs the authelia rule to one_factor and use the Proxy-Authorization header without problem.

but as soon as i for example want to mount the webdav on windows or lets say any tool that dont give you an option to set special headers your screwed.

hopefully i missed something or some genius had found a solution for this :) And also maybe something that could be mentioned on the connect site as a disclaimer or so when using SSO :)

[9001]

Before I say anything else, please don't mark this as an answer! I'm sure somebody else has a better idea...

That's a good question -- if there is a way to make this work, then it is probably an approach that is specific to your IDP (so either Authelia or something similar). I don't think there is much that can be done on the copyparty side, assuming you specifically want to connect using an IDP account.

However, one thing that should work currently, is to define a regular user in the copyparty config, while also using IDP at the same time. If you then allow users to connect "more directly" (meaning not through Authelia) in some way, perhaps with a separate subdomain in the reverse-proxy config, then they can authenticate with this copyparty-defined user.

I'm sorry that my limited knowledge about IDP's such as Authelia makes this a bit fuzzy... So let's see if anyone else has a better answer :-)

But I really like the idea of adding a warning-banner in the connect-page when IDP is enabled, so thank you for that!

[wuast94]

well i got some progress, its for authelia but should be the same for others (more or less).

first part is to set a rule for the domain to be only one_factor:

  rules:
    - domain: 'sub.domain.tld'
      policy: one_factor

this enables us to authenticate with a special header, for authelia it is Proxy-Authorization , they use not the standard one to not interfere with services behind authelia that uses them, to set this one we need to add this header to rclone, i edited the config for this:
rclone config file will give you the path of that config file.

[servername-dav]
type = webdav
url = https://sub.domain.tld
vendor = owncloud
pacer_min_sleep = 0.01ms
headers = Proxy-Authorization,basic base64encodedstring==

the string to encode is username:password

after all this we finally get to copyparty but we get an 401 and i dunno why yet, hopefully you can give me a hint:

20:37:23.613 10.10.10.83 44522     http401: authenticate, '/'
20:37:25.362 10.10.10.83 44532     [H] accept-encoding: [gzip]
20:37:25.362 10.10.10.83 44532     [H] content-length: [308]
20:37:25.362 10.10.10.83 44532     [H] depth: [1]
20:37:25.362 10.10.10.83 44532     [H] host: [files.wuast24.de]
20:37:25.362 10.10.10.83 44532     [H] referer: [https://sub.domain.tld/]
20:37:25.362 10.10.10.83 44532     [H] remote-email: [user@domain.tld]
20:37:25.362 10.10.10.83 44532     [H] remote-groups: [admin]
20:37:25.362 10.10.10.83 44532     [H] remote-name: [wuast94]
20:37:25.362 10.10.10.83 44532     [H] remote-user: [wuast94]
20:37:25.362 10.10.10.83 44532     [H] user-agent: [rclone/v1.68.2]
20:37:25.362 10.10.10.83 44532     [H] x-forwarded-for: [10.10.10.83]
20:37:25.362 10.10.10.83 44532     [H] x-forwarded-host: [sub.domain.tld]
20:37:25.362 10.10.10.83 44532     [H] x-forwarded-port: [443]
20:37:25.362 10.10.10.83 44532     [H] x-forwarded-proto: [https]
20:37:25.362 10.10.10.83 44532     [H] x-forwarded-server: [b7b8c79a880b]
20:37:25.362 10.10.10.83 44532     [H] x-real-ip: [10.10.10.83]
20:37:25.362 10.10.10.83 44532     PFIND / @wuast94
20:37:25.362 10.10.10.83 44532     inaccessible: '/'

looks like its some path issue, at least we see that we get the correct group and username.

if we get that last part done i would be happy to write down some doku we can add to the project :)

[9001]

hm, yeah it looks like copyparty received a request to list the contents of /, so the webroot, and it is correctly using your username wuast94 which it got from the remote-user header, so everything looks fine in that regard... The only time you'll get the inaccessible: warning from a PROPFIND request is if the user does not have read-access, AND it also does not have write-access to that folder. So, does that user not have access to the webroot? did you expect rclone to try listing the contents of another folder/URL?

[wuast94]

had to define the full URL, missed that totally, works now.

should i write up that SSO webdav part or is it to specific? and if yes, where would it best fit for you?

[9001]

nice! glad to hear it worked out, good job :>

I think this would be a good place to explain it: https://github.com/9001/copyparty/blob/hovudstraum/docs/idp.md

maybe a new section at the bottom of that file,

# connecting from webdav clients

depending on your IdP software and config, you may encounter difficulties when connecting from a WebDAV client. For example, with Authelia you will have to [...]

...or something like that, feel free to rephrase!

Afterwards I'll link that section from the main readme, and add a short summary based on your description on the connect-page. Thanks 😁