OAuth support
-
@girish said in OAuth support:
Besides it looks like SAML is the future and does not require upstream changes for proper SSO. We will consider supporting SAML instead in a future release.
SAML (while having support in enterprise environments) is not the future, it's the past as well. The future would be openid connect.
-
Hi @will,
SAML is basically "old tech". It's XML based and requires clients to generate keys through openssl which makes it in my experience both complex and difficult to set up for novice admins and also implement for developers. Apart from that SAML only works for browser based workflows.
Like I said before the one thing SAML has going for it is that its already well supported in enterprise applications. But I recently had a chat with someone involved in quite some university and government projects on the infrastructure side and he told me that he sees a trend to favour oidc over SAML recently.
An article with a comparison can be found at https://spin.atomicobject.com/2016/05/30/openid-oauth-saml/
PS: with Kopano Meet there is actually already an OpenID Connect provider present on Cloudron as all authentication is done through OIDC in it. What we use there is Go and React, but I am confident that there is code to be reused for Node as well.
-
It would seem that supporting Keycloak would be a great way to still only really have to maintain LDAP on the Cloudron side and then add support for OpenID Connect, OAuth 2.0
and SAML 2.0.I've never set up Keycloak though, so I can't speak to it's ease of use or maintaining, but it is often recommended when people talk about FOSS Identity and Access Management tools.
-
keycloak is a really good idea, didn't think about that. By which, i mean if we could have apps that provide additional saml/oidc support to cloudron, that is definitely way better than us re-inventing all this. Some of the universities Cloudron is deployed in uses Shibboleth which I am told support LDAP and OAuth2
-
I've wished for OAuth support for quite a few times already to support SSO to non-Cloudron apps. So in that case, Cloudron would serve as the identity provider for a third-party app. Kind of like Login with Cloudron.
That would require that one can register third party apps with their client id, client secret and callback URL though.
I have a little bit of experience with Keycloak. I know that U=using Keycloak would (also) support this use case, provided a Cloudron user has access to the Keycload administration interface.
-
I note that the lovely people at Indiehosters (all in French) have launched a new service called Liiibre which by default is a nicely integrated Nextcloud, OnlyOffice, Rocket.Chat, and Jitsi Meet.
And I read over on the Meet.coop forum that they are using Keycloak to power their SSO stuff, so that might be worth exploring.
Here is the relevant thread for info:
https://forum.meet.coop/t/hi-from-indiehosters-onboarding-process/343?u=jdaviescoatesBut see especially this post:
https://forum.meet.coop/t/hi-from-indiehosters-onboarding-process/343/8?u=jdaviescoatesEdit: and looking back up the thread I see Keycloak has already been proposed/ discussed above too.
-
@Lonk said in OAuth support:
• Liiibre
• KeycloakLiiibre is not an alternative to OAuth, it's the name of a service provided by Indiehosters, which uses Keycloak for SSO.
-
Redoing the list. Thank you guys for your feedback:
• OpenID Connect
• SAML
• OAuth2 (a Sign in with Cloudron feature of some kind I think)
• Keycloak
• GluuDid I miss any others anyone can think of? Not thinking of trying to integrate this anytime soon, just want to talk about what's the future to be prepared for it.
-
@Lonk said in OAuth support:
• OAuth2 (a Sign in with Cloudron feature of some kind I think)
I'm pretty sure OAuth2 is just version two of OAuth aka OAuth 2.0
-
@jdaviescoates said in OAuth support:
@Lonk said in OAuth support:
• OAuth2 (a Sign in with Cloudron feature of some kind I think)
I'm pretty sure OAuth2 is just version two of OAuth aka OAuth 2.0
It'd added because it's one of the alternative solutions suggested in the comments, the "Sign in with Cloudron" suggestion would most likely be based on it and I was listing protocols. I can't remember who suggested it and I'm not voting for it but I thought it deserved to be included with the list the community came up with. What do you think?
-
Guys, this discussion is moot.
The devs have already said that support for SSO is not happening in Cloudron until way more apps support it upstream, and it does not look like it's headed that way on the apps side.
Like they said, Cloudron used to support SSO with OAuth2, but almost no app used it, so they removed it. They're not gonna implement other SSO protocols in cloudron when app support is also just as bad.