-
J jeau referenced this topic on
-
That might be a great idea if that works out. Just trying to get it up and running in the package. One question though is about the login redirect URI back to the app. Given that this package is very generic, I am not sure if we should define a route for callback on behalf of the app (which might make it hard to use depending on the actual app/code running in this lamp instance) OR the admin is required to manually add an OpenID client via the dashboard, instead of pre-provisioning that.
Any input here might help to decide on how to go about this.
-
That might be a great idea if that works out. Just trying to get it up and running in the package. One question though is about the login redirect URI back to the app. Given that this package is very generic, I am not sure if we should define a route for callback on behalf of the app (which might make it hard to use depending on the actual app/code running in this lamp instance) OR the admin is required to manually add an OpenID client via the dashboard, instead of pre-provisioning that.
Any input here might help to decide on how to go about this.
@nebulon awesome, glad you like the idea! and thanks for working on it. I was surprised there was no "pre-built" solution for securing a website with a login - sounds like this could be it!
Please do not pre-provision the client data. My use case would be with keycloak, so users are able to login there and access a members only website, as well as further services.
I would like to have the possibility of users self registering - which is impossible with cloudron (atm).
is there no way to auto-provision it with the cloudron data, but allow admins to edit the config? That way it would work "out-of-the-box" but could still be used with other IAMs.
-
Using an example setup, this works fine. Now we just need to decide if we should auto-provision oidc credentials with a fixed redirect callback URI or not.
If we do not pre-provision it, the Cloudron access controls won't be applied
-
Yeah the idea was to just setup an oidc client credentials set with a redirect URI for the app, but not actually configuring the lamp stack to also use this. Same as with LDAP credentials.
You can test the branch from https://git.cloudron.io/packages/lamp-app/-/tree/oidc-support?ref_type=heads if you know your way around building a custom app.
Once installed you have to create an OpenID client in your Cloudron dashboard with
/secure/redirect_uriand put the following in /app/data/apache/app.conf:# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content OIDCRedirectURI https://<your.lampapp.domain>/secure/redirect_uri OIDCCryptoPassphrase somethingsecret OIDCProviderMetadataURL https://<my.example.com>/.well-known/openid-configuration OIDCClientID <clientId> OIDCClientSecret <secret>Then restart the app and then you may put those two lines in any
.htaccesswithin yourpublic/folder which you want to protect from public access:AuthType openid-connect Require valid-user -
@nebulon, so I finally got around to testing this:
authentication works (nice!) but the redirect url appends port 80 (
https://lampoidc.mydomain.com:80/) which results in an ssl error (SSL_ERROR_RX_RECORD_TOO_LONG)manualy removing the port then loads the page.
ai suggested adding this to the app.conf virtual host:
UseCanonicalName Off
UseCanonicalPhysicalPort Offwhich did not help...
any ideas?
