cryptpad icon indicating copy to clipboard operation
cryptpad copied to clipboard

Published 20 hours ago verified publisher icon cryptpad

User Authentication with different backends

Open xshadow opened this issue 8 years ago • 17 comments
trafficstars

It would be great if the admin could be able to configure different user authentication backends, instead of relying on the build in database.

Backends of interest:

  • IMAP (by server and domain)
  • LDAP
  • SMB
  • FTP

xshadow avatar Sep 01 '17 06:09 xshadow

If you use a reverse proxy, you can put the authentication at that layer so the node process does not need any modification.

However that is implemented, nothing should hook into the login process implemented on the CryptPad client. The /login/ and /register/ pages derive secret keys from users' credentials, and as such, user confidentiality relies on these credentials not being known by the server.

ansuz avatar Sep 01 '17 08:09 ansuz

This type of thing is definitely possible but because the password is used to derive the root encryption keys, it is non-trivial to do it without effectively sharing all decryption keys with the LDAP server. However, if you are able to sponsor some development time, we could prioritize this on our roadmap. We're available for a discussion at [email protected]

cjdelisle avatar Sep 02 '17 13:09 cjdelisle

The general idea would be, to give the admin of the cryptpad the option to rely on a different back end , instead of using the built in database.

For example IMAP Auth: If you have a mail server running , every user who can authenticate it self on the mail server does also have an account on the cryptpad service. Though users do not have to use different credentials and manage their pads.

Other services for example Nextcloud provide this handy feature . I will write you an email.

Due to the fact that this feature would expose another attack entry point for brute force attacks, it would be good to implement security features from the beginning. Just an idea, the client have to calculate a hash which is known by the server, every time a login is done.

xshadow avatar Oct 06 '17 17:10 xshadow

Copied from a private correspondence:

The matter of external login is a complex one, because we hash the password using scrypt and use the result as a secret key for encrypting the /drive/, which then has the keys to all of one's pads. So if we made CryptPad authenticate using LDAP or IMAP in the obvious way, the Zero Knowledge aspect would be gone because the authentication server would hold the key.

There might be some possible way to do double password or such thing which allows logging in while still protecting the confidentiality of the pads, but it seems non-trivial.

cjdelisle avatar Oct 16 '17 07:10 cjdelisle

For any enterprise usage, ideally CryptPad would offer authentication via

  • SAML
  • OpenID Connect
  • LDAP

All those methods are provided by an identity provider like keycloak. SAML could be also achieved via Shibboleth. And LDAP is for available often as last resort, or if AD is the only choice.

rasos avatar Apr 02 '18 20:04 rasos

This would be a very welcome feature indeed.

I would be fine with a clearly defined trade-off: zero knowledge, or external authentication (choose one). If somebody is setting external auth for something like Cryptpad, that's often in an organizational setting where the zero knowledge part might not be crucial.

Another way to do this would be to have the external auth service provide an additonal attribute accessible only in the browser (OpenID Connect makes this possible via JWTs; almost certain SAML does too) and used by browser-side JS the way password is used currently.

rysiekpl avatar Sep 26 '18 09:09 rysiekpl

I'm going to close this issue since we have no plans to implement the requested behaviour. If you're interested in sponsoring development costs I'll certainly reconsider. In that case, you can contact [email protected]

ansuz avatar Feb 26 '20 14:02 ansuz

oAuth / OpenID Connect would be great to be able to offer a cryptpad instance it in larger organizations, who have their own identity management system (such as keycloak).

rasos avatar Dec 11 '20 13:12 rasos

Thats true, it would be great to have openid-connect and/or SAML authentication.

sbernhard avatar Jan 17 '21 14:01 sbernhard

I really would appreciate the OpenID Connection login. Also, I would be willing to pay some money – the question here is: how much would be appropriate?

StephanRichter avatar Jul 15 '21 12:07 StephanRichter

I really would appreciate the OpenID Connection login. Also, I would be willing to pay some money – the question here is: how much would be appropriate?

I appreciate your willingness to compensate us for our time! That's unfortunately rare in open-source.

I would expect at least one week of full-time development to integrate OpenID into both the client and the server. Our standard rate for one day of consulting is 1000€, so assume a minimum of 5000€ for a first version and more if additional requirements are introduced.

If multiple organizations were willing to sponsor this development in coordination it would become much more affordable. Perhaps @xshadow, @rasos, @rysiekpl, or @sbernhard could help to split the costs?

ansuz avatar Jul 16 '21 11:07 ansuz

I really would appreciate the OpenID Connection login. Also, I would be willing to pay some money – the question here is: how much would be appropriate?

I appreciate your willingness to compensate us for our time! That's unfortunately rare in open-source.

I would expect at least one week of full-time development to integrate OpenID into both the client and the server. Our standard rate for one day of consulting is 1000€, so assume a minimum of 5000€ for a first version and more if additional requirements are introduced.

If multiple organizations were willing to sponsor this development in coordination it would become much more affordable. Perhaps @xshadow, @rasos, @rysiekpl, or @sbernhard could help to split the costs?

is this still open to fund or already ongoing? In case one would like help fund this, where?

timmwille avatar Apr 14 '22 15:04 timmwille

Not sure what came out of this: https://nlnet.nl/project/CryptPad-Auth/

poVoq avatar May 16 '22 16:05 poVoq

Not sure what came out of this: https://nlnet.nl/project/CryptPad-Auth/

thx for the link, I could not find further Info on this matter, could anyone answer what is the result/status?

timmwille avatar May 26 '22 15:05 timmwille

Not sure what came out of this: https://nlnet.nl/project/CryptPad-Auth/

thx for the link, I could not find further Info on this matter, could anyone answer what is the result/status?

I stumbled upon: https://blog.cryptpad.org/2023/02/28/status-2023-02/

🔑 🪪 AUTH officially starts
We are happy to announce that we have finally signed off the CryptPad AUTH project …

matacino avatar Mar 31 '23 11:03 matacino

Could this issue be reopened please given there is work being done on this but is not complete?

LDAP would be nice so a Cryptpad install I'm trying (for a small community group) can use the YunoHost turnkey private cloud distro SSO. (No idea how Nextcloud SSO works.)

P.S. I also see https://ci.linagora.com/nparquet/cryptpad-sso-setup but I guess it's outdated, no time or energy to check/test right now.

Edit: also #749 #807

mxmilkiib avatar May 25 '23 16:05 mxmilkiib

This PR looks very promising! :star_struck:

alexanderadam avatar Dec 04 '23 22:12 alexanderadam

Hi! I'd just like to leave a note here that people need to install the SSO plugin:

https://github.com/cryptpad/sso

I've just spent a good hour diagnosing why /api/config was returning sso: false, even though I had filled in the SSO config file :)

bain3 avatar Jul 05 '24 12:07 bain3