Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

OAuth support

Scheduled Pinned Locked Moved Announcements
35 Posts 14 Posters 1.8k Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • jdaviescoatesJ Online
    jdaviescoatesJ Online
    jdaviescoates
    replied to Lonkle on last edited by
    #19

    @Lonk said in OAuth support:

    • OAuth2 (a Sign in with Cloudron feature of some kind I think)

    I'm pretty sure OAuth2 is just version two of OAuth aka OAuth 2.0

    https://oauth.net/2/

    I use Cloudron with Gandi & Hetzner

    LonkleL 1 Reply Last reply
    0
  • LonkleL Offline
    LonkleL Offline
    Lonkle
    replied to jdaviescoates on last edited by Lonkle
    #20

    @jdaviescoates said in OAuth support:

    @Lonk said in OAuth support:

    • OAuth2 (a Sign in with Cloudron feature of some kind I think)

    I'm pretty sure OAuth2 is just version two of OAuth aka OAuth 2.0

    https://oauth.net/2/

    It'd added because it's one of the alternative solutions suggested in the comments, the "Sign in with Cloudron" suggestion would most likely be based on it and I was listing protocols. I can't remember who suggested it and I'm not voting for it but I thought it deserved to be included with the list the community came up with. What do you think? 🤔

    1 Reply Last reply
    0
  • mehdiM Offline
    mehdiM Offline
    mehdi App Dev
    wrote on last edited by mehdi
    #21

    Guys, this discussion is moot.

    The devs have already said that support for SSO is not happening in Cloudron until way more apps support it upstream, and it does not look like it's headed that way on the apps side.

    Like they said, Cloudron used to support SSO with OAuth2, but almost no app used it, so they removed it. They're not gonna implement other SSO protocols in cloudron when app support is also just as bad.

    LonkleL ruihildtR 2 Replies Last reply
    1
  • LonkleL Offline
    LonkleL Offline
    Lonkle
    replied to mehdi on last edited by Lonkle
    #22

    @mehdi Well, that’s why I kept this conversation going. To see if it was pointless. I know that anything would need widespread app support upstream adoption and I was curious which ones winning the race, if anyone knew. Maybe none of them are.

    1 Reply Last reply
    0
  • nebulonN Online
    nebulonN Online
    nebulon Staff
    wrote on last edited by
    #23

    Btw OAuth3 is around the corner and as far as I understood it wont help much in the mess OAuth generally has caused.

    All OAuth versions are structurally not well suited for a use-case like Cloudron. The issue is, that they have a central auth authority in mind (google, facebook, ...) where on Cloudron each Cloudron is its own authority, which leads to even more issues within app support. So this is one reason which led us to simply not pursuing this further.

    To give more insight into our decision: LDAP won thus far. It has drawbacks (lack of 2fa and real SSO) but generally works well also with the applications UI flows and is by far the most supported and standardized one.

    LonkleL 1 Reply Last reply
    1
  • ruihildtR Offline
    ruihildtR Offline
    ruihildt
    replied to mehdi on last edited by ruihildt
    #24

    @mehdi Doesn't software like Gluu and Keycloak abstract different auth methods (LDAP, oauth, saml,...) under a single system to provide SSO?

    I was looking at Gluu, and under the hood it is a LDAP implementation, so I could imagine it could replace or interface with the current system. (I haven't looked into Keycloak but I guess it's a similar concept?)

    So SSO/2FA with only oauth on cloudron is dead but maybe Keycloak or Gluu is still something worth to be looked at?

    1 Reply Last reply
    1
  • LonkleL Offline
    LonkleL Offline
    Lonkle
    replied to nebulon on last edited by
    #25

    @nebulon said in OAuth support:

    . It has drawbacks (lack of 2fa and real SSO)
    Thank you for explaining to me the decision behind the decision and I def agree with it.

    Ya know, is the LDAP protocol still being updated? Maybe it'll get 2FA. And as for "real SSO" - I'd kind of say it's real enough. Or when you say real, you mean, once you login to Cloudron, if it was "real SSO" - you could click on a supported app and already be logged in? That...sounds technically feasible, but I'm just curious if that's what you meant by "real" (instead of just re-using the same credentials).

    mehdiM iamthefijI 2 Replies Last reply
    0
  • mehdiM Offline
    mehdiM Offline
    mehdi App Dev
    replied to Lonkle on last edited by
    #26

    @Lonk Yeah, that's it.

    1 Reply Last reply
    1
  • iamthefijI Offline
    iamthefijI Offline
    iamthefij App Dev
    replied to Lonkle on last edited by
    #27

    @Lonk LDAP is just a directory tool. You can use it today with 2FA by storing the TOTP info there, just like you would with any other database.

    The difficulty is that the application must actually use that data.

    Alternatives would be to use methods like a proxy where you authenticate with username and password+token rather than a third field for token. This would allow implementing 2FA universally though it is unintuitive to users.

    LonkleL 1 Reply Last reply
    0
  • LonkleL Offline
    LonkleL Offline
    Lonkle
    replied to iamthefij on last edited by
    #28

    @iamthefij said in OAuth support:

    @Lonk LDAP is just a directory tool. You can use it today with 2FA by storing the TOTP info there, just like you would with any other database.

    The difficulty is that the application must actually use that data.

    Alternatives would be to use methods like a proxy where you authenticate with username and password+token rather than a third field for token. This would allow implementing 2FA universally though it is unintuitive to users.

    Oh, I'm quite new to this. I thought the original goal for Oauth was to accomplish SSO and LDAP is like half-SSO but mostly compatible (you just have to login again with the same credentials). I know also 2FA was a factor, in fact, you can enable it for Cloudron users rn so it's in the user DB which means it may already be available to re-use. I wonder if I should include support for the TOTP in my small PHP Cloudron-LDAP library I'm making.

    1 Reply Last reply
    0
  • LonkleL Offline
    LonkleL Offline
    Lonkle
    wrote on last edited by
    #29

    Found another technology that is interesting in this realm. Not useful for Cloudron but I hope these types of protocols keeps growing:

    • Jamf Connect

    1 Reply Last reply
    0
  • M Offline
    M Offline
    malvim
    wrote on last edited by
    #30

    I understand VERY LITTLE about this, and not sure this question even makes sense in this thread, but I'll shoot my shot anyway:

    Would it make sense maybe to make Cloudron a "proper" OpenID provider, backed by its LDAP directory, so we could maybe sign into third-party apps that support OpenID with our cloudron identities?

    I think like @nebulon said most apps nowadays are settling for google/facebook/github authentication, but maybe, just maybe, as people get more concerned about privacy, we can push to go (back) towards a decentralized identity kind of thing?

    <old-man rant>
    Sad how for a while, a decade or two back, we had this thriving hivemind of how the internet would empower us and build decentralized everything, and then all of a sudden we let a few big companies just commodify our identities and sell us as products with no regard for our privacy.
    </rant>

    Sorry about the last paragraph, but what do you guys think about being an openid provider and stuff? 🙂

    marcusquinnM LonkleL 2 Replies Last reply
    4
  • marcusquinnM Offline
    marcusquinnM Offline
    marcusquinn
    replied to malvim on last edited by
    #31

    @malvim exactly this ☝

    We're not here for a long time - but we are here for a good time :)
    Jersey/UK
    Work & Ecommerce Advice: https://brandlight.org
    Personal & Software Tips: https://marcusquinn.com

    1 Reply Last reply
    1
  • fbartelsF Offline
    fbartelsF Offline
    fbartels App Dev
    wrote on last edited by
    #32

    Fyi: the Kopano Meet app includes an openid connect provider (no 2fa in Konnect as of yet, but webauthn is one of the next milestones). I have written about that in https://forum.cloudron.io/topic/2368/

    1 Reply Last reply
    0
  • LonkleL Offline
    LonkleL Offline
    Lonkle
    replied to malvim on last edited by
    #33

    @malvim I think that’s the perfect middle ground for this situation. Thank you for outlining it so well. ☺️

    1 Reply Last reply
    0
  • rmdesR Offline
    rmdesR Offline
    rmdes
    wrote on last edited by
    #34

    Since we're in it, worth having a look at the future here : IndieAuth
    specs : https://indieauth.net/
    Try it : https://indieauth.com/
    my blog support indieweb blocks by design so I can already login to a bunch of sites with my own identity, there is also indieweb pack plugins for wordpress/drupal, I hope Indieauth will catch up and become a universal decentralized method to handle identity on the web.

    LonkleL 1 Reply Last reply
    1
  • LonkleL Offline
    LonkleL Offline
    Lonkle
    replied to rmdes on last edited by
    #35

    @rmdes Thanks so much for posting about this SSO decentralized is probably all of our dreams. 😂

    1 Reply Last reply
    1
  • infogulchI infogulch referenced this topic on

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.