Skip to content

[Research/Analysis] Support for RSS/Atom Feeds Behind SSO Protection #11

Open
Open
[Research/Analysis] Support for RSS/Atom Feeds Behind SSO Protection#11
Labels
questionFurther information is requested
@Eliezergh

Description

@Eliezergh
Eliezergh
opened on May 12, 2026

[Research/Analysis] Support for RSS/Atom Feeds Behind SSO Protection

Summary

Investigate the feasibility of integrating RSS/Atom feeds that are protected by Single Sign-On (SSO) — such as enterprise-grade status pages (e.g., Atlassian Statuspage, Instatus, or custom internal pages) — into Syndi's existing feed consumption pipeline.

Background / Motivation

Many enterprise tools expose status or activity information via RSS/Atom feeds, but those feeds are gated behind SSO providers (e.g., Okta, Azure AD, Google Workspace, SAML 2.0, OAuth 2.0). Currently, Syndi is expected to fetch feeds that are publicly accessible or protected only by simple token/basic auth. Enterprise users may need Syndi to access feeds only reachable after an SSO authentication flow.

Goals

  • Understand what authentication flows are typically involved in SSO-protected RSS/Atom feeds.
  • Determine whether Syndi can participate in those flows (browser-based redirect, headless token exchange, service account credentials, etc.).
  • Identify any macOS-level APIs or keychain integration that could help manage SSO session tokens securely.
  • Assess the effort, risk, and scope of implementation.

Questions to Answer

  1. What SSO protocols are most common for enterprise status pages (SAML, OAuth 2.0, OIDC)?
  2. Can SSO-protected feeds be accessed via bearer/session tokens obtained outside the app (copy-paste by user), or must the full OAuth flow happen inside Syndi?
  3. Is there a standard pattern for refreshing SSO tokens for background/polling clients?
  4. What are the security implications of storing SSO tokens in the macOS Keychain?
  5. Are there existing Python libraries (e.g., requests-oauthlib, msal, python-saml) that could reduce implementation effort?
  6. Would this require a change to the feed source model in src/core.py?

Scope of Analysis

  • Survey common enterprise status page providers and their SSO feed access patterns.
  • Review how existing RSS clients (Reeder, NetNewsWire) handle authenticated feeds.
  • Prototype a minimal OAuth 2.0 token acquisition flow for a feed URL.
  • Evaluate macOS Keychain integration for secure token storage.
  • Document findings and propose an implementation approach or conclude it's out of scope.

Out of Scope (for now)

  • Actual implementation of SSO authentication (this is analysis only).
  • Support for non-RSS/Atom content behind SSO.

Acceptance Criteria (for the analysis)

  • A written technical assessment covering the questions above is produced.
  • A recommendation is made: implement, defer, or reject.
  • If recommended, a rough implementation plan and effort estimate is included.

Labels

research, enhancement, authentication, rss

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions