Alternative to "oauth proxy"?



  • I wanted to look into packaging https://forum.cloudron.io/topic/1438/cloud-torrent, but the progam itself only offers auth through a single username:password combination passed as an env variable and therefore was looking into ways to put auth into the nginx reverse proxy.

    https://cloudron.io/developer/packaging/ still refers to the following:

    For app that have no user management at all, the Cloudron implements an OAuth proxy that optionally lets the Cloudron admin make the app visible only for logged in users.

    but searching for more references to it end up at a gitlab ticket that states that it was removed.

    Are there any alternatives to it?



  • That is correct, it was removed altogether. It was too confusing to users, as the oauth view put a non-app ui in front and it was not clear for users without explanation. We have to fix up that documentation piece, thanks for the hint.

    There is also no alternative without patching the app or contribution some kind of login view upstream. For which we prefer LDAP over OAuth for the same reason, to not have those browser redirect hops.



  • Hi @nebulon ,

    ok was already expecting something like this. I'd have to argue that the "browser redirect hops" are something that most users will probably be accustomed with by now as this is the same as all the "login with facebook", "login with google" and "login with github" buttons all over the web. But of course ldap has its benefits as well.

    I meanwhile started working to include oauth2_proxy into my take on cloud torrent. Will probably continue next weekend.



  • You probably know this... but we started with OAuth integration is all our apps. Over time, we gave up on that since it is far too hard to integrate OAuth into each and every app. Given that OAuth is not really a "standard", we had to create Cloudron OAuth specific patches for each app. And then we have to fight hard with each upstream project to get Cloudron OAuth code merged. Just too much trouble and we felt we cannot win on our own :(



  • @girish said in Alternative to "oauth proxy"?:

    we felt we cannot win on our own :(

    yes, the world would be a better place if all applications would properly support oauth2 or even better openid connect. I will anyways first give https://github.com/bitly/oauth2_proxy a try and if that does not work I'll configure mod_authnz_ldap in the apache bundled in the base image.