@jdaviescoates I took a quick look at some video tutorials, but I didn't see how Keycloak would be able to log the user into other applications without having said application specifically implementing the Keycloak integration.

You've already looked into it more than me. I guess Indiehosters have implemented Keycloak integration into the apps they've integrated in their Liiibre service (perhaps they maintain forks or something, or have contributed upstream).

@marcusquinn this is quite interesting, and definitely a way to go about this. Did you go through with this? Has it worked? One issue I see is that Bitwarden won't actually submit a login form for users, it will simply input the login credentials to the forms (unless I'm missing something?). Also, how are you automatically having Bitwarden do these actions on your behalf?

It's not SSO but the next best things with what's already available and wouldn't rely on any Apps supporting it as it would work with any kind of login method.

Perhaps Keycloak?

@jdaviescoates said in OAuth support:

I note that the lovely people at Indiehosters (all in French) have launched a new service called Liiibre which by default is a nicely integrated Nextcloud, OnlyOffice, Rocket.Chat, and Jitsi Meet.

And I read over on the Meet.coop forum that they are using Keycloak to power their SSO stuff, so that might be worth exploring.

Here is the relevant thread for info:
https://forum.meet.coop/t/hi-from-indiehosters-onboarding-process/343?u=jdaviescoates

But see especially this post:
https://forum.meet.coop/t/hi-from-indiehosters-onboarding-process/343/8?u=jdaviescoates

Edit: and looking back up the thread I see Keycloak has already been proposed/ discussed above too.

Unfortunately, without a browser plugin (that already has access to user's credentials, hence, Bitwarden) or without apps supporting something like OAuth or OpenID or SAML (requires individual development for each app), I don't know that this is possible.

I would also love to see this, even if it's just with some apps. I have very confused users who don't understand that they have to login everytime, but the password is synchronized. One pattern I've seen is for instance:

Forgot password for nextcloud, reset password. Oh, my rocketchat password doesn't work anymore, reset password. oh, my nextcloud password doesn't work anymore, reset password. Resulting in frustration and people not using the apps. With cloudron it's easy to install the applications, but now it becomes hard on the users

Some reading:
https://beyondcorp.com/

Something like https://github.com/vouch/vouch-proxy/ could then do the oauth part towards the cloudron user management.

This way, OAuth or SAML or whatever auth protocol you choose needs only be supported by the reverse proxy.

So far we were able to provide SSO for every application in our extranet.

Regarding the private apps, you can already set access controls for apps, but they will still be available publicly. For the moment this is likely out of scope for Cloudron. Not sure maybe this belongs to some VPN setup for organizations with this requirement?

Maybe there is a misunderstanding. For clarification:

Every app in our setup is theoretically accessible from the public internet. If the user is not authenticated and does not have rights to access the app, no HTTP traffic is getting through to the app. This improves security. The app is accessible from the public internet, but not directly exposed to it.

Regarding the private apps, you can already set access controls for apps, but they will still be available publicly. For the moment this is likely out of scope for Cloudron. Not sure maybe this belongs to some VPN setup for organizations with this requirement?