OAuth support
-
keycloak is a really good idea, didn't think about that. By which, i mean if we could have apps that provide additional saml/oidc support to cloudron, that is definitely way better than us re-inventing all this. Some of the universities Cloudron is deployed in uses Shibboleth which I am told support LDAP and OAuth2
-
I've wished for OAuth support for quite a few times already to support SSO to non-Cloudron apps. So in that case, Cloudron would serve as the identity provider for a third-party app. Kind of like Login with Cloudron.
That would require that one can register third party apps with their client id, client secret and callback URL though.
I have a little bit of experience with Keycloak. I know that U=using Keycloak would (also) support this use case, provided a Cloudron user has access to the Keycload administration interface.
-
I've wished for OAuth support for quite a few times already to support SSO to non-Cloudron apps. So in that case, Cloudron would serve as the identity provider for a third-party app. Kind of like Login with Cloudron.
That would require that one can register third party apps with their client id, client secret and callback URL though.
I have a little bit of experience with Keycloak. I know that U=using Keycloak would (also) support this use case, provided a Cloudron user has access to the Keycload administration interface.
-
I know it's gonna be a long time away from adding a replacement to OAuth, but are there any alternatives that stand out now more than they did before. Or are we still looking for a solution that doesn't require upstream changes?
-
I note that the lovely people at Indiehosters (all in French) have launched a new service called Liiibre which by default is a nicely integrated Nextcloud, OnlyOffice, Rocket.Chat, and Jitsi Meet.
And I read over on the Meet.coop forum that they are using Keycloak to power their SSO stuff, so that might be worth exploring.
Here is the relevant thread for info:
https://forum.meet.coop/t/hi-from-indiehosters-onboarding-process/343?u=jdaviescoatesBut see especially this post:
https://forum.meet.coop/t/hi-from-indiehosters-onboarding-process/343/8?u=jdaviescoatesEdit: and looking back up the thread I see Keycloak has already been proposed/ discussed above too.
-
In summary, I am going to list all alternatives to OAuth that have been listed in this thread:
• OpenID Connect
• SAML
• OAuth2 (a Sign in with Cloudron feature of some kind I think)
• Liiibre
• KeycloakDid I miss any of them?
@Lonk Gluu perhaps?
-
In summary, I am going to list all alternatives to OAuth that have been listed in this thread:
• OpenID Connect
• SAML
• OAuth2 (a Sign in with Cloudron feature of some kind I think)
• Liiibre
• KeycloakDid I miss any of them?
@Lonk said in OAuth support:
• Liiibre
• KeycloakLiiibre is not an alternative to OAuth, it's the name of a service provided by Indiehosters, which uses Keycloak for SSO.
-
Redoing the list. Thank you guys for your feedback:
• OpenID Connect
• SAML
• OAuth2 (a Sign in with Cloudron feature of some kind I think)
• Keycloak
• GluuDid I miss any others anyone can think of? Not thinking of trying to integrate this anytime soon, just want to talk about what's the future to be prepared for it.
-
Redoing the list. Thank you guys for your feedback:
• OpenID Connect
• SAML
• OAuth2 (a Sign in with Cloudron feature of some kind I think)
• Keycloak
• GluuDid I miss any others anyone can think of? Not thinking of trying to integrate this anytime soon, just want to talk about what's the future to be prepared for it.
@Lonk said in OAuth support:
• OAuth2 (a Sign in with Cloudron feature of some kind I think)
I'm pretty sure OAuth2 is just version two of OAuth aka OAuth 2.0
-
@Lonk said in OAuth support:
• OAuth2 (a Sign in with Cloudron feature of some kind I think)
I'm pretty sure OAuth2 is just version two of OAuth aka OAuth 2.0
@jdaviescoates said in OAuth support:
@Lonk said in OAuth support:
• OAuth2 (a Sign in with Cloudron feature of some kind I think)
I'm pretty sure OAuth2 is just version two of OAuth aka OAuth 2.0
It'd added because it's one of the alternative solutions suggested in the comments, the "Sign in with Cloudron" suggestion would most likely be based on it and I was listing protocols. I can't remember who suggested it and I'm not voting for it but I thought it deserved to be included with the list the community came up with. What do you think?
-
Guys, this discussion is moot.
The devs have already said that support for SSO is not happening in Cloudron until way more apps support it upstream, and it does not look like it's headed that way on the apps side.
Like they said, Cloudron used to support SSO with OAuth2, but almost no app used it, so they removed it. They're not gonna implement other SSO protocols in cloudron when app support is also just as bad.
-
Guys, this discussion is moot.
The devs have already said that support for SSO is not happening in Cloudron until way more apps support it upstream, and it does not look like it's headed that way on the apps side.
Like they said, Cloudron used to support SSO with OAuth2, but almost no app used it, so they removed it. They're not gonna implement other SSO protocols in cloudron when app support is also just as bad.
-
Btw OAuth3 is around the corner and as far as I understood it wont help much in the mess OAuth generally has caused.
All OAuth versions are structurally not well suited for a use-case like Cloudron. The issue is, that they have a central auth authority in mind (google, facebook, ...) where on Cloudron each Cloudron is its own authority, which leads to even more issues within app support. So this is one reason which led us to simply not pursuing this further.
To give more insight into our decision: LDAP won thus far. It has drawbacks (lack of 2fa and real SSO) but generally works well also with the applications UI flows and is by far the most supported and standardized one.
-
Guys, this discussion is moot.
The devs have already said that support for SSO is not happening in Cloudron until way more apps support it upstream, and it does not look like it's headed that way on the apps side.
Like they said, Cloudron used to support SSO with OAuth2, but almost no app used it, so they removed it. They're not gonna implement other SSO protocols in cloudron when app support is also just as bad.
@mehdi Doesn't software like Gluu and Keycloak abstract different auth methods (LDAP, oauth, saml,...) under a single system to provide SSO?
I was looking at Gluu, and under the hood it is a LDAP implementation, so I could imagine it could replace or interface with the current system. (I haven't looked into Keycloak but I guess it's a similar concept?)
So SSO/2FA with only oauth on cloudron is dead but maybe Keycloak or Gluu is still something worth to be looked at?
-
Btw OAuth3 is around the corner and as far as I understood it wont help much in the mess OAuth generally has caused.
All OAuth versions are structurally not well suited for a use-case like Cloudron. The issue is, that they have a central auth authority in mind (google, facebook, ...) where on Cloudron each Cloudron is its own authority, which leads to even more issues within app support. So this is one reason which led us to simply not pursuing this further.
To give more insight into our decision: LDAP won thus far. It has drawbacks (lack of 2fa and real SSO) but generally works well also with the applications UI flows and is by far the most supported and standardized one.
@nebulon said in OAuth support:
. It has drawbacks (lack of 2fa and real SSO)
Thank you for explaining to me the decision behind the decision and I def agree with it.Ya know, is the LDAP protocol still being updated? Maybe it'll get 2FA. And as for "real SSO" - I'd kind of say it's real enough. Or when you say real, you mean, once you login to Cloudron, if it was "real SSO" - you could click on a supported app and already be logged in? That...sounds technically feasible, but I'm just curious if that's what you meant by "real" (instead of just re-using the same credentials).
-
@nebulon said in OAuth support:
. It has drawbacks (lack of 2fa and real SSO)
Thank you for explaining to me the decision behind the decision and I def agree with it.Ya know, is the LDAP protocol still being updated? Maybe it'll get 2FA. And as for "real SSO" - I'd kind of say it's real enough. Or when you say real, you mean, once you login to Cloudron, if it was "real SSO" - you could click on a supported app and already be logged in? That...sounds technically feasible, but I'm just curious if that's what you meant by "real" (instead of just re-using the same credentials).
-
@nebulon said in OAuth support:
. It has drawbacks (lack of 2fa and real SSO)
Thank you for explaining to me the decision behind the decision and I def agree with it.Ya know, is the LDAP protocol still being updated? Maybe it'll get 2FA. And as for "real SSO" - I'd kind of say it's real enough. Or when you say real, you mean, once you login to Cloudron, if it was "real SSO" - you could click on a supported app and already be logged in? That...sounds technically feasible, but I'm just curious if that's what you meant by "real" (instead of just re-using the same credentials).
@Lonk LDAP is just a directory tool. You can use it today with 2FA by storing the TOTP info there, just like you would with any other database.
The difficulty is that the application must actually use that data.
Alternatives would be to use methods like a proxy where you authenticate with username and password+token rather than a third field for token. This would allow implementing 2FA universally though it is unintuitive to users.
