bluewave-labs
Feature Request: Add OIDC authentication
Is your feature request related to a problem? Please describe.
Currently, there is no 2nd factor for authentication, which makes ones setup of Checkmate vulnerable to bruteforce attacks, especially when using a bad or reused password.
It would be sensible and/or appreciated to also implement a 2nd factor for email/password authentication and/or Passkeys but from my expierience its asier to just allow OpenID Connect first. Most IDPs have these of security features already implemented.
Describe the solution you'd like
Implement an additional login/signup method with an arbitrary OIDC identity provider (like Authentic, Keycloak, Azure, etc) to handle the complete authentication. Securitywise it would be good to be able to disable email + password authentication (because of the mentioned possible security implications of password auth above) if you chose to use an external IDP. In a later expansion you could also add authorization features OICD provices (e.g. Team selection).
Describe alternatives you've considered
-
You could follow many sites by adding support for specific OAuth Providers (most of them are also just OICD) like "Log in with..." Google, Apple, Azure, Meta, Github, etc. Because an generic OICD implemtation would cover most IDPs, I'd suggest starting with the generic alterative. Additionally you can Imagine that these "free" IDPs do collect user data, so it's a questionable alternative, though easier to configure for the enduser. ManyM sites allowing login through social media providers also allow generic OICD.
-
Implement a 2nd factor inside your app yourself, preferably with google authenticator (free for you and the user), which many password managers are able to fill in automatically.
Additional context This proposal because stems from a question in your Discord :) @gorkem-bwl
Is this a highly requested feature for a self hosted application? This would make sense in a SaaS context, I have a feeling 2FA would just annoy a lot of users running Checkmate on their local network.
If we did implement it I think it would be a good idea to make it opt in rather than enabled by default. 2FA really annoys me when I don't need it.
@ajhollid Well yeah i'd make it all optional too :) And the project is imho very attractive for larger, non-homelab installations as well, which would make this good feature to have :)
i've noticed that many for-profit saas companies only enable features like OAuth in the most expensive tiers, so it's such a highly reqested feature that saas customer-companies are willing to pay extra fot it :) (Example https://slack.com/intl/en-gb/pricing or https://miro.com/pricing/ etc.)
@ajhollid Well yeah i'd make it all optional too :) And the project is imho very attractive for larger, non-homelab installations as well, which would make this good feature to have :)
Tell me 3 more features you'd like to see which will make Checkmate suitable for larger installations :)
I mean its nice as it is :) But if there were unlimited development resources ^^:
- Public facing Uptime Monitor like https://uptimerobot.com/status-page/, incl. custom css, multiple status sites that can have multiple uptime monitors on it [not a priority for me but i guess every saas service has something like this]
- Editability of created Entities (like edit an Infrastructure monitor) [would be really helpful]
- Automatic docker analysis charts like in Beszel[1]
- (Disk utilization chart)
I could go on :) :D But no worries, its a nice piece of software :)
BTW the infrastructure collector agent installation could be a bit easier, e.g. you have to memorize that you have to add /api/v1/metrics in the URL field (which is by default http(?). You could also think about a scenario where you cant open a port on a node but let the agents open a connection to the Checkmate app to report (see Portainer)
[1]
Thanks for those. My comments.
- Public facing status page will be in the next release. Alex has already built it, and we are testing it right now. Currently no CSS, no multiple pages. Just a single status page + logo + a few config options that should do the trick. In the future, we can definitely add.
- Issue is there for the next release: https://github.com/bluewave-labs/Checkmate/issues/1277
- There is also an issue for this.
- Do you want the current one to be better in terms of UX / featureset?
BTW the infrastructure collector agent installation could be a bit easier, e.g. you have to memorize that you have to add /api/v1/metrics in the URL field (which is by default http(?). You could also think about a scenario where you cant open a port on a node but let the agents open a connection to the Checkmate app to report (see Portainer)
Good point. Can you add an issue for this so we can track it?
(Disk utilization chart)
I meant the Disk "utilization" (vs. Disk capacity left). Recently, I had the issue that an HDD was constantly at 100% "utilization". As I later found out, it was caused by the Coolify Sentinel, which was writing continuously. This was hard to notice, the system was just slow and i didn't knew why, until i saw the 100% value in htop.
(Disk utilization chart)
I meant the Disk "utilization" (vs. Disk capacity left). Recently, I had the issue that an HDD was constantly at 100% "utilization". As I later found out, it was caused by the Coolify Sentinel, which was writing continuously. This was hard to notice, the system was just slow and i didn't knew why, until i saw the 100% value in htop.
OK, I assume you are talking about this area right?
We have the total disk and utilized disk. I have been talking to @mertssmnoglu about adding all the disks found and not only the root disk, so they can appear here.
@gorkem-bwl Thanks, but these are just ideas—I don't know if other people feel these things are needed too. :D
And no, I don't mean this graph; it's very useful and should stay. I had this problem:
Here is another graph:
I hope I explained the difference well enough. :) I'm not really sure which exact metric is the most informative. For example, my Netdata (the graphs above are from Netdata as well) alerted me about the "Disk Backlog [time]" on my disks, basically saying that it took 10 seconds(!) to process a write request. One has to analyze which value, and where to get it from, to determine the most meaningful metric.
That said, I think this metric is not that important for most people because the problem is almost non-existent on SSDs. :)
OIDC/OAuth2 is the sole reason I haven't switched to Checkmate yet. Once we have that, I'll be deploying across our company's infrastructure as well and proudly share dashboards and configs with my peers. I'm also very excited to see the release with more notification options (namely Discord and Telegram, although "generic webhooks" (which can be used in something like n8n) would already be a nice step-up). And while I agree that quite a few softwares put it behind a premium license, I really, seriously, hate that (looking at you, DocuSeal), as we are forced to resort to reverse-proxy authentication instead (for ex., Cloudflare Zero Trust), which has some downsides as well. All in all, it doesn't quite "stop" us from using SSO, it just makes it that much more annoying.
Personally speaking, I don't want my parents to memorize passwords (or store yet another password on the "already complicated" password manager that they're using); I want to write their [email protected] address on an ACL somewhere, and they just click to login, easy-peasy. Not only it makes the application safe against brute forcing (Google deals with that instead), but it's less of a headache from a user's point-of-view. Thank you ActualBudget, Paperless, Immich, Beszel and countless others for making it available for an admin to configure by themselves...
@Chinoman10 @jk779 hi guys - a few questions if you don't mind before we start implementing OIDC/OAuth2:
- Which OIDC/OAuth2 provider(s) are you using?
- Do you require RBAC or just basic authentication?
- What token expiration and refresh policies do you follow? (if any)
Many thanks!
- Which OIDC/OAuth2 provider(s) are you using?
- a. Google for now, as it's the most mainstream/normie-friendly, Github is often a good choice too, though I personally never deployed that one. We use Google Workspaces at our company and everyone in my family has a
@gmailaccount, so it's a no-brainer for us. - b. Yesterday I came across
ValueMelody/melody-auththough, which is a self-deployed (hosted 100% on Cloudflare) alternative though 🤔 sounds interesting...
- Do you require RBAC or just basic authentication?
Some level of RBAC at the application layer is commonplace and welcomed; some 'hardcore' integrations (such as Stripe's) do it as well at the OIDC provider level, but Stripe is literally the only one I've seen doing this. TL;DR: If you allow us to 'whitelist' a user before they attempt to login (either through an ID or an email, whatever the OIDC provider uses), and give them the respective roles & accesses, that's already good for me (if you make it available via the API, then enterprises would more easily adopt it too, as they can script their way through adding all the DevOps engineers and so on).
- What token expiration and refresh policies do you follow? (if any)>
Really depends on the application, how mission-critical it is, what's the potential damage, and so on... The default could be 1-week if it isn't too important or 12h or 1d (just a day's work) for infrequent but critical access (think how banks usually expire your session after just a few minutes). As for refreshing, I'd take a wild guess and just refresh it at a percentage of the expiration range (if it expires after a week, refresh once per day, if it expires after 1 day, refresh every hour, for example); but again, these should only be defaults anyway (and I'm not the best source for default best practices to be honest, I'm just sharing a personal opinion).
Hello @viriatusX - unfortunately no update yet. I feel like it will take some time before we can add this - just to set expectations :)
Just tried this on PikaPods. But no 2FA, no SAML, no OIDC (I use Infomaniak Authy for that). I don't understand this. And this I find disturbing:
If we did implement it I think it would be a good idea to make it opt in rather than enabled by default. 2FA really annoys me when I don't need it.
Every online service needs 2FA these days, in some form or another. It's a pity, because the project is really amazing for the rest. 2FA should be the fundament of every digital service... I hope you will prioritise this soon!
Just tried this on PikaPods. But no 2FA, no SAML, no OIDC (I use Infomaniak Authy for that). I don't understand this. And this I find disturbing:
If we did implement it I think it would be a good idea to make it opt in rather than enabled by default. 2FA really annoys me when I don't need it.
Every online service needs 2FA these days, in some form or another. It's a pity, because the project is really amazing for the rest. 2FA should be the fundament of every digital service... I hope you will prioritise this soon!
Thank you for this @kMikaZu ! :) This is definitely in our radar.
I use PocketID for most of my self hosted apps, it would be great to have this as an option.
+1
Definitely hope this gets added. It's nearly a must have for companies (at least if they know what they're doing ;) ) and really great for homelabs. Having an option to manage your users centrally so they could access all the services using the same login is such a nice feature. On my end - if I have to deal with more than 3 apps (no matter home or at work) OIDC support is among the first things I look for.
I think generic OIDC implementation would be the best choice - it's well documented and also easy to handle from the admin perspective. And it would allow to work with most of the providers (Okta, Keycloak, Authentik.....).
Any news on this matter?
Unfortunately no. We are a bit swamped with other priorities. Just fyi, you can always sponsor a feature you want to see in Checkmate - here are the details: https://checkmate.so/sponsored-features
I would also like to see OIDC. We and our customers use Authentik I might look into forking and doing a pull request, but I am swamped right now.
+1 from me to see OIDC implemented, I use authentik and would love to integrate Checkmate
