hortusfox-web icon indicating copy to clipboard operation
hortusfox-web copied to clipboard

Published 20 hours ago verified publisher icon danielbrendel

External authentication

Open flisk opened this issue 1 year ago • 4 comments

Is there any interest/plan to implement external authentication mechanisms (something like LDAP or OpenID), or is that out of scope?

flisk avatar Mar 13 '24 14:03 flisk

This was suggested by someone on Reddit before. Might take a while at least for LDAP because first I'd have to setup a domain controller environment to test this. I'd rather go with OpenID here because this does better fit the philosophy of the opensource and selfhosted software.

danielbrendel avatar Mar 14 '24 01:03 danielbrendel

OpenID would definitely be useful, especially when pairing with Authentik/Keycloak etc.

modem7 avatar Mar 24 '24 00:03 modem7

+1 for OpenID, but the fastest/easiest might be upstream authentication headers. The header names should be configurable, and admins just plug in whatever their ingress/proxy/whatever sends.

There is a decent writeup about that method on authentik's page. By default, they use X-authentik-* with username, email, uid, groups, etc all provided automatically.

From a security standpoint, it must be behind a proxy if the headers are accepted. Otherwise an attacker could provide false account information. (Many implementations have a whitelist of proxies, using IP or CIDR, and then reject auth headers from anywhere else.)

disconn3ct avatar Apr 05 '24 19:04 disconn3ct

Proxy auth would be nice to have if it's not possible to disable authentication completly. Because for my use case, the plants are in the house, so I just need the dashboard to be open to anyone in the home.

FSchiltz avatar May 03 '24 07:05 FSchiltz

I'm leaving this link. It's designed for login via socials, telegram fb, google, aple, etc to nextcloud https://github.com/zorn-v/nextcloud-social-login

Hoping someone can implement it

mzb2xeo avatar Sep 12 '24 22:09 mzb2xeo

Proxy authentication

danielbrendel avatar Sep 14 '24 17:09 danielbrendel

Header authentication is now implemented. If there occur any bugs, please raise another bug report issue, so I can fix this.

Regarding OpenID I have yet to find a good package, but majorly evaluate how this can be implemented within the current project structure. For now I don't know if it is even required due to I assume many are using an authentication service such as Authentik, so a direct OIDC would not even be required due to the SSO feature via headers. If that is not the case, please create another issue or DM me on Discord/Mastodon.

danielbrendel avatar Sep 23 '24 13:09 danielbrendel