Support protected URL Sign In

[davidje13]

To allow easy integration with alternative authentication mechanisms, it should be possible to configure a trusted URL where it is assumed that if the user can reach the URL, they are trusted. This could be used with a proxy configured to require Mutual TLS for the configured path, for example.

const config = {
  trustedEndpoint: {
    path: 'my-trusted-path',
    userIdHeader: 'X-Ssl-Cert-Hash',
  },
};

Which could be combined with an nginx config:

ssl_verify_client on;
ssl_client_certificate /path/to/cert.crt;
ssl_verify_client optional;

location /ssoprefix/my-trusted-path {
  if ($ssl_client_verify != "SUCCESS") { return 403; }
  proxy_set_header X-Ssl-Cert-Hash $ssl_client_fingerprint;
}

It may be desirable to have other options than userIdHeader, such as userId for a fixed user ID for anybody able to reach the endpoint.

---

Things to consider:

• Care must be taken by the user to ensure the endpoint is fully protected. Might be worth allowing a configurable header-based password which can be set in the proxy as a bit of extra protection against accidental misconfigurations (wouldn't provide much protection though)
• Should it be possible to configure multiple trusted endpoints? What would that look like?
• How should this interact with the existing client-exposed authUrl property?