[
https://issues.apache.org/jira/browse/SOLR-17659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925695#comment-17925695
]
Christos Malliaridis commented on SOLR-17659:
---------------------------------------------
I start to get a better understanding now. What I am wondering now is, would a
deep link / a "redirect" to the new UI (either web, desktop client or anything
else), with the necessary authentication / authorization token be sufficient?
Because the new UI will have to handle such cases, like for OAuth, anyway.
Completely hiding the UI from the user would be possible, but there must be
then a module that will take care of the auth and that would handle all the
redirects and token generation flows. And I think from the perspective of OAuth
at least, this could be cumbersome to implement, as OAuth flows are very
specific which parties are involved and who is redirecting where.
I believe it can work without issues and as expected, as long as there is this
"facade" infront of the UI. I'm still not sure though if this could be
addressed early enough so that the new UI could make use of that (if it has to
do anything differently, like not showing login masks). Perhaps it is for now
quicker to go with a more "direct" approach and implement the most important
auth options in the new UI, and until we have a working solution for "hiding"
the UI, we would use the UIs auth screens? And we should still not forget that
we try to address relatively serious issue, the replacement of angularjs that
has been discontinued since 2022.
With that said, we should definitely not take the security lightly, which is
why we discuss these matters in such detail. :)
> Implement basic authentication in Admin UI
> ------------------------------------------
>
> Key: SOLR-17659
> URL: https://issues.apache.org/jira/browse/SOLR-17659
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI
> Reporter: Christos Malliaridis
> Priority: Major
> Labels: new-ui, ui
>
> In the new UI one of the key features that is not implemented yet is user
> authentication. In order to secure and securily access Solr, the user should
> be able to authenticate against a Solr instance with basic credentials.
> h2. Task
> Implement basic user authentication (with credentials) according to the [new
> designs|https://www.figma.com/design/VdbEfcWQ8mirFNquBzbPk2/Apache-Solr-Admin-UI-v2-Concept?node-id=1190-388&t=vMgOa9QlzQZSdjLf-1].
> h2. Acceptance Criteria
> - The user can access a Solr instance that has user authentication enabled
> - The user can at least authenticate with credentials (basic auth)
> - The credentials form is displayed after the user has established a
> connection with a Solr instance, that is, after a Solr instance was found
> - The user can return to the start screen where the Solr URL was provided,
> if he decides to abort the authentication step
> - The user is no longer redirected to the dashboard or any other screen if
> user authentication is required
> - The credentials are used for any subsequent request
> h2. Additional Information
> The support for additional authentication options does not have to be
> addressed in this issue. If it proves to be straight-forward, feel free to
> implement additional auth options as well. Note that additional
> authentication options will be added later, and therefore, the implementation
> should be expandable.
> The credentials do not have to survive an application restart (desktop).
> Storing credentials securely will be addressed in a separate issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
