Auth with OIDC

[kernelkaribou]

Is your feature request related to a problem?

I heavily use Authelia in my self hosted environment and try to use only services that can authenticate through HTTP Headers from the Reverse Proxy or OIDC.

Describe the solution you'd like

Would be great to be able to authenticate through other methods such as OIDC or other remote auth options.

Additional context

I am not an expert in this space, I know that other services like Octoprint or Paperless-ngx offer the ability to do authentication through HTTP header. Not sure how that works given you utilize an email for users.

[firestrife23]

+1 on OIDC

Check this out, if you're familiar with GO, i'm more of python guy tho not much of help lol.

https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc

This will allow authentication against any ODIC providers: google, auth0, keycloak, authelia, authentik, etc.

[alfeg]

I would be happy to use auth proxy, like for example how Grafana do to be able to auth with Cloudflare Access

[peterbuga]

I can confirm this works with Authelia right now 👍

[Hobbabobba]

Working configuration for Authelia:

Server side (in configuration.yml):

identity_providers:
  oidc:
    - id: memos
      description: memos
      secret: 'insertsecrethere'
      public: false
      authorization_policy: two_factor
      redirect_uris:
        - https://URL_OF_MEMOS/auth/callback
      scopes:
        - openid
        - profile
        - email
      grant_types:
        - authorization_code
      userinfo_signing_algorithm: none

client side (in memos):

Field	Value
Name	Authelia
Identifier Filter
Client ID	memos
Client secret	insert_secret_here
Authorization endpoint	https://auth.example.com/api/oidc/authorization
Token endpoint	https://auth.example.com/api/oidc/token
User endpoint	https://auth.example.com/api/oidc/userinfo
Scopes	openid profile email
Identifier	preferred_username
Display Name	given_name
Email	email

[RosaEinhorn]

Hi @Hobbabobba, thanks for sharing your config. This looks very promising. Unfortunately, I am only seeing a spinning wheel after authorising with Authelia.

Did any part of this change in the meantime? I cannot see any errors in the logs.

[Hobbabobba]

No changes on either Authelia or Memos side. Feels like this part of your configuration has a problem:

      redirect_uris:
        - https://URL_OF_MEMOS/auth/callback

[max-tet]

I'd like to heavily upvote the request for proxy authentication because it is just so simple and elegant.

The perfect proxy auth feature for me would work like this:

1. Start the app with additional environment variables:

• containing the name of the initial admin user (e.g. admin=admin_user)
• enabling proxy auth (e.g. proxy_auth=true)
• setting the key of the http header that contains the username (e.g. auth_header=X-Authenticated-User)

2. Configure the reverse proxy to authenticate incoming requests in any way you like.
3. Let the reverse proxy set X-Authenticated-User to the authenticated username on every request.
4. The app treats the requests as if they belong to the appropriate user session.
5. Bonus: if the app does not know the username, it creates a new user with that name.

Other SSO methods like OIDC still require the user to login with each app, even it no credentials are required. It is still an additional step that is unneeded and hurting the user experience.

Here are some examples of apps that feature proxy authentication: FreshRSS, LinkDing, Navidrome.

Additional context: I am using the app for this product. Since this is a single-user platform, users really should see no login screen at all, not even for SSO.

[aattwwss]

Working configuration for Authelia:

Server side (in configuration.yml):

identity_providers:
  oidc:
    - id: memos
      description: memos
      secret: 'insertsecrethere'
      public: false
      authorization_policy: two_factor
      redirect_uris:
        - https://URL_OF_MEMOS/auth/callback
      scopes:
        - openid
        - profile
        - email
      grant_types:
        - authorization_code
      userinfo_signing_algorithm: none

client side (in memos): Field Value Name Authelia Identifier Filter Client ID memos Client secret insert_secret_here Authorization endpoint https://auth.example.com/api/oidc/authorization Token endpoint https://auth.example.com/api/oidc/token User endpoint https://auth.example.com/api/oidc/userinfo Scopes openid profile email Identifier preferred_username Display Name given_name Email email

I had to add this line to the configuration.yml based on the error logs from memos.

token_endpoint_auth_method: 'client_secret_post'

2024/04/08 05:39:54 INFO client error method=/memos.api.v2.AuthService/GetAuthStatus error="rpc error: code = Unauthenticated desc = user not found"
2024/04/08 05:39:54 ERROR server error method=/memos.api.v2.AuthService/SignInWithSSO error="rpc error: code = Internal desc = failed to exchange token, err: failed to exchange access token: oauth2: \"invalid_client\" \"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The request was determined to be using 'token_endpoint_auth_method' method 'client_secret_post', however the OAuth 2.0 client registration does not allow this method.\""

[alexanderadam]

Did anyone try to use OAuth/OIDC with Memos and KanIDM?

[joestump]

This is working great with Authentik. I assume this can be closed out as delivered?

[max-tet]

I would still love to see a proxy auth option as described above. Should this be another ticket then?