Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    OAuth support

    Announcements
    14
    35
    1334
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • girish
      girish Staff last edited by

      Hi All,
      We are looking into user roles/permissions for the coming release (for example, you can create a user who can invite other users but not administer other parts of cloudron). When we started investigating this, we found it will be simpler for us if we remove OAuth related support from code base.

      For some history, we started out with OAuth from day 1. This is because our vision was to have proper SSO across all apps. Unfortunately, OAuth always requires adding custom integration code into apps. We tried to upstream changes for every app but this was a lot of work and in many cases the PR just rejected or we didn't know the framework/language or it just caught in a lot of code review. We decided this wasn't worth it and went with LDAP which unlike OAuth most apps support and requires no upstream changes.

      Ultimately, none of our apps now use OAuth. It's been gone for 1.5 years now. Besides it looks like SAML is the future and does not require upstream changes for proper SSO. We will consider supporting SAML instead in a future release.

      Note that this upcoming change only affects those who have custom apps using oauth addon. If you are using Cloudron OAuth, please let us know and we can help you migrate.

      fbartels 1 Reply Last reply Reply Quote 5
      • fbartels
        fbartels App Dev @girish last edited by

        @girish said in OAuth support:

        Besides it looks like SAML is the future and does not require upstream changes for proper SSO. We will consider supporting SAML instead in a future release.

        SAML (while having support in enterprise environments) is not the future, it's the past as well. The future would be openid connect.

        W 1 Reply Last reply Reply Quote 2
        • W
          will @fbartels last edited by

          @fbartels Can you share more on your reasoning? Im not as familiar with OpenID Connect

          fbartels 1 Reply Last reply Reply Quote 0
          • girish
            girish Staff last edited by

            OpenID is great as well if apps support it. IIRC, it specifies the routes and fields that one has to return so it's more standardized.

            1 Reply Last reply Reply Quote 2
            • fbartels
              fbartels App Dev @will last edited by

              Hi @will,

              SAML is basically "old tech". It's XML based and requires clients to generate keys through openssl which makes it in my experience both complex and difficult to set up for novice admins and also implement for developers. Apart from that SAML only works for browser based workflows.

              Like I said before the one thing SAML has going for it is that its already well supported in enterprise applications. But I recently had a chat with someone involved in quite some university and government projects on the infrastructure side and he told me that he sees a trend to favour oidc over SAML recently.

              An article with a comparison can be found at https://spin.atomicobject.com/2016/05/30/openid-oauth-saml/

              PS: with Kopano Meet there is actually already an OpenID Connect provider present on Cloudron as all authentication is done through OIDC in it. What we use there is Go and React, but I am confident that there is code to be reused for Node as well.

              W 1 Reply Last reply Reply Quote 6
              • W
                will @fbartels last edited by

                @fbartels Thanks for the thoughtful reply!

                1 Reply Last reply Reply Quote 0
                • iamthefij
                  iamthefij App Dev last edited by

                  It would seem that supporting Keycloak would be a great way to still only really have to maintain LDAP on the Cloudron side and then add support for OpenID Connect, OAuth 2.0
                  and SAML 2.0.

                  I've never set up Keycloak though, so I can't speak to it's ease of use or maintaining, but it is often recommended when people talk about FOSS Identity and Access Management tools.

                  1 Reply Last reply Reply Quote 3
                  • girish
                    girish Staff last edited by girish

                    keycloak is a really good idea, didn't think about that. By which, i mean if we could have apps that provide additional saml/oidc support to cloudron, that is definitely way better than us re-inventing all this. Some of the universities Cloudron is deployed in uses Shibboleth which I am told support LDAP and OAuth2

                    1 Reply Last reply Reply Quote 4
                    • J
                      jk last edited by

                      I've wished for OAuth support for quite a few times already to support SSO to non-Cloudron apps. So in that case, Cloudron would serve as the identity provider for a third-party app. Kind of like Login with Cloudron.

                      That would require that one can register third party apps with their client id, client secret and callback URL though.

                      I have a little bit of experience with Keycloak. I know that U=using Keycloak would (also) support this use case, provided a Cloudron user has access to the Keycload administration interface.

                      iamthefij 1 Reply Last reply Reply Quote 2
                      • iamthefij
                        iamthefij App Dev @jk last edited by

                        @jk That actually used to be possible, but the OAuth provider is now gone.

                        Adding something like Keycloak or even Shibboleth would add back an OAuth provider.

                        1 Reply Last reply Reply Quote 2
                        • Lonkle
                          Lonkle last edited by

                          I know it's gonna be a long time away from adding a replacement to OAuth, but are there any alternatives that stand out now more than they did before. Or are we still looking for a solution that doesn't require upstream changes?

                          imc67 1 Reply Last reply Reply Quote 0
                          • imc67
                            imc67 translator @Lonkle last edited by

                            @Lonk @nebulon @girish indeed I’m also very curious for this, I think it would make Cloudron even more unique if you could click an app in your Dashboard and you’re “Cloudron-magically” logged in!

                            1 Reply Last reply Reply Quote 2
                            • girish
                              girish Staff last edited by

                              @imc67 @Lonk Nothing has changed and I don't expect it to either. Without upstream changes to apps, this is not possible. As far as I have noticed, most apps are not adding support for OAuth.

                              1 Reply Last reply Reply Quote 1
                              • jdaviescoates
                                jdaviescoates last edited by jdaviescoates

                                I note that the lovely people at Indiehosters (all in French) have launched a new service called Liiibre which by default is a nicely integrated Nextcloud, OnlyOffice, Rocket.Chat, and Jitsi Meet.

                                And I read over on the Meet.coop forum that they are using Keycloak to power their SSO stuff, so that might be worth exploring.

                                Here is the relevant thread for info:
                                https://forum.meet.coop/t/hi-from-indiehosters-onboarding-process/343?u=jdaviescoates

                                But see especially this post:
                                https://forum.meet.coop/t/hi-from-indiehosters-onboarding-process/343/8?u=jdaviescoates

                                Edit: and looking back up the thread I see Keycloak has already been proposed/ discussed above too.

                                I use Cloudron with Gandi & Hetzner

                                1 Reply Last reply Reply Quote 1
                                • Lonkle
                                  Lonkle last edited by

                                  In summary, I am going to list all alternatives to OAuth that have been listed in this thread:

                                  • OpenID Connect
                                  • SAML
                                  • OAuth2 (a Sign in with Cloudron feature of some kind I think)
                                  • Liiibre
                                  • Keycloak

                                  Did I miss any of them?

                                  marcusquinn jdaviescoates 2 Replies Last reply Reply Quote 0
                                  • marcusquinn
                                    marcusquinn @Lonkle last edited by

                                    @Lonk Gluu perhaps?

                                    We're not here for a long time - but we are here for a good time :)
                                    Jersey/UK
                                    Work & Ecommerce Advice: https://brandlight.org
                                    Personal & Software Tips: https://marcusquinn.com

                                    1 Reply Last reply Reply Quote 0
                                    • jdaviescoates
                                      jdaviescoates @Lonkle last edited by

                                      @Lonk said in OAuth support:

                                      • Liiibre
                                      • Keycloak

                                      Liiibre is not an alternative to OAuth, it's the name of a service provided by Indiehosters, which uses Keycloak for SSO.

                                      I use Cloudron with Gandi & Hetzner

                                      1 Reply Last reply Reply Quote 1
                                      • Lonkle
                                        Lonkle last edited by

                                        Redoing the list. Thank you guys for your feedback:

                                        • OpenID Connect
                                        • SAML
                                        • OAuth2 (a Sign in with Cloudron feature of some kind I think)
                                        • Keycloak
                                        • Gluu

                                        Did I miss any others anyone can think of? Not thinking of trying to integrate this anytime soon, just want to talk about what's the future to be prepared for it.

                                        jdaviescoates 1 Reply Last reply Reply Quote 0
                                        • jdaviescoates
                                          jdaviescoates @Lonkle last edited by

                                          @Lonk said in OAuth support:

                                          • OAuth2 (a Sign in with Cloudron feature of some kind I think)

                                          I'm pretty sure OAuth2 is just version two of OAuth aka OAuth 2.0

                                          https://oauth.net/2/

                                          I use Cloudron with Gandi & Hetzner

                                          Lonkle 1 Reply Last reply Reply Quote 0
                                          • Lonkle
                                            Lonkle @jdaviescoates last edited by Lonkle

                                            @jdaviescoates said in OAuth support:

                                            @Lonk said in OAuth support:

                                            • OAuth2 (a Sign in with Cloudron feature of some kind I think)

                                            I'm pretty sure OAuth2 is just version two of OAuth aka OAuth 2.0

                                            https://oauth.net/2/

                                            It'd added because it's one of the alternative solutions suggested in the comments, the "Sign in with Cloudron" suggestion would most likely be based on it and I was listing protocols. I can't remember who suggested it and I'm not voting for it but I thought it deserved to be included with the list the community came up with. What do you think? 🤔

                                            1 Reply Last reply Reply Quote 0
                                            • mehdi
                                              mehdi App Dev last edited by mehdi

                                              Guys, this discussion is moot.

                                              The devs have already said that support for SSO is not happening in Cloudron until way more apps support it upstream, and it does not look like it's headed that way on the apps side.

                                              Like they said, Cloudron used to support SSO with OAuth2, but almost no app used it, so they removed it. They're not gonna implement other SSO protocols in cloudron when app support is also just as bad.

                                              Lonkle ruihildt 2 Replies Last reply Reply Quote 1
                                              • Lonkle
                                                Lonkle @mehdi last edited by Lonkle

                                                @mehdi Well, that’s why I kept this conversation going. To see if it was pointless. I know that anything would need widespread app support upstream adoption and I was curious which ones winning the race, if anyone knew. Maybe none of them are.

                                                1 Reply Last reply Reply Quote 0
                                                • nebulon
                                                  nebulon Staff last edited by

                                                  Btw OAuth3 is around the corner and as far as I understood it wont help much in the mess OAuth generally has caused.

                                                  All OAuth versions are structurally not well suited for a use-case like Cloudron. The issue is, that they have a central auth authority in mind (google, facebook, ...) where on Cloudron each Cloudron is its own authority, which leads to even more issues within app support. So this is one reason which led us to simply not pursuing this further.

                                                  To give more insight into our decision: LDAP won thus far. It has drawbacks (lack of 2fa and real SSO) but generally works well also with the applications UI flows and is by far the most supported and standardized one.

                                                  Lonkle 1 Reply Last reply Reply Quote 1
                                                  • ruihildt
                                                    ruihildt @mehdi last edited by ruihildt

                                                    @mehdi Doesn't software like Gluu and Keycloak abstract different auth methods (LDAP, oauth, saml,...) under a single system to provide SSO?

                                                    I was looking at Gluu, and under the hood it is a LDAP implementation, so I could imagine it could replace or interface with the current system. (I haven't looked into Keycloak but I guess it's a similar concept?)

                                                    So SSO/2FA with only oauth on cloudron is dead but maybe Keycloak or Gluu is still something worth to be looked at?

                                                    1 Reply Last reply Reply Quote 1
                                                    • Lonkle
                                                      Lonkle @nebulon last edited by

                                                      @nebulon said in OAuth support:

                                                      . It has drawbacks (lack of 2fa and real SSO)
                                                      Thank you for explaining to me the decision behind the decision and I def agree with it.

                                                      Ya know, is the LDAP protocol still being updated? Maybe it'll get 2FA. And as for "real SSO" - I'd kind of say it's real enough. Or when you say real, you mean, once you login to Cloudron, if it was "real SSO" - you could click on a supported app and already be logged in? That...sounds technically feasible, but I'm just curious if that's what you meant by "real" (instead of just re-using the same credentials).

                                                      mehdi iamthefij 2 Replies Last reply Reply Quote 0
                                                      • mehdi
                                                        mehdi App Dev @Lonkle last edited by

                                                        @Lonk Yeah, that's it.

                                                        1 Reply Last reply Reply Quote 1
                                                        • iamthefij
                                                          iamthefij App Dev @Lonkle last edited by

                                                          @Lonk LDAP is just a directory tool. You can use it today with 2FA by storing the TOTP info there, just like you would with any other database.

                                                          The difficulty is that the application must actually use that data.

                                                          Alternatives would be to use methods like a proxy where you authenticate with username and password+token rather than a third field for token. This would allow implementing 2FA universally though it is unintuitive to users.

                                                          Lonkle 1 Reply Last reply Reply Quote 0
                                                          • Lonkle
                                                            Lonkle @iamthefij last edited by

                                                            @iamthefij said in OAuth support:

                                                            @Lonk LDAP is just a directory tool. You can use it today with 2FA by storing the TOTP info there, just like you would with any other database.

                                                            The difficulty is that the application must actually use that data.

                                                            Alternatives would be to use methods like a proxy where you authenticate with username and password+token rather than a third field for token. This would allow implementing 2FA universally though it is unintuitive to users.

                                                            Oh, I'm quite new to this. I thought the original goal for Oauth was to accomplish SSO and LDAP is like half-SSO but mostly compatible (you just have to login again with the same credentials). I know also 2FA was a factor, in fact, you can enable it for Cloudron users rn so it's in the user DB which means it may already be available to re-use. I wonder if I should include support for the TOTP in my small PHP Cloudron-LDAP library I'm making.

                                                            1 Reply Last reply Reply Quote 0
                                                            • Lonkle
                                                              Lonkle last edited by

                                                              Found another technology that is interesting in this realm. Not useful for Cloudron but I hope these types of protocols keeps growing:

                                                              • Jamf Connect

                                                              1 Reply Last reply Reply Quote 0
                                                              • M
                                                                malvim last edited by

                                                                I understand VERY LITTLE about this, and not sure this question even makes sense in this thread, but I'll shoot my shot anyway:

                                                                Would it make sense maybe to make Cloudron a "proper" OpenID provider, backed by its LDAP directory, so we could maybe sign into third-party apps that support OpenID with our cloudron identities?

                                                                I think like @nebulon said most apps nowadays are settling for google/facebook/github authentication, but maybe, just maybe, as people get more concerned about privacy, we can push to go (back) towards a decentralized identity kind of thing?

                                                                <old-man rant>
                                                                Sad how for a while, a decade or two back, we had this thriving hivemind of how the internet would empower us and build decentralized everything, and then all of a sudden we let a few big companies just commodify our identities and sell us as products with no regard for our privacy.
                                                                </rant>

                                                                Sorry about the last paragraph, but what do you guys think about being an openid provider and stuff? 🙂

                                                                marcusquinn Lonkle 2 Replies Last reply Reply Quote 4
                                                                • marcusquinn
                                                                  marcusquinn @malvim last edited by

                                                                  @malvim exactly this ☝

                                                                  We're not here for a long time - but we are here for a good time :)
                                                                  Jersey/UK
                                                                  Work & Ecommerce Advice: https://brandlight.org
                                                                  Personal & Software Tips: https://marcusquinn.com

                                                                  1 Reply Last reply Reply Quote 1
                                                                  • fbartels
                                                                    fbartels App Dev last edited by

                                                                    Fyi: the Kopano Meet app includes an openid connect provider (no 2fa in Konnect as of yet, but webauthn is one of the next milestones). I have written about that in https://forum.cloudron.io/topic/2368/

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • Lonkle
                                                                      Lonkle @malvim last edited by

                                                                      @malvim I think that’s the perfect middle ground for this situation. Thank you for outlining it so well. ☺️

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • rmdes
                                                                        rmdes last edited by

                                                                        Since we're in it, worth having a look at the future here : IndieAuth
                                                                        specs : https://indieauth.net/
                                                                        Try it : https://indieauth.com/
                                                                        my blog support indieweb blocks by design so I can already login to a bunch of sites with my own identity, there is also indieweb pack plugins for wordpress/drupal, I hope Indieauth will catch up and become a universal decentralized method to handle identity on the web.

                                                                        Lonkle 1 Reply Last reply Reply Quote 1
                                                                        • Lonkle
                                                                          Lonkle @rmdes last edited by

                                                                          @rmdes Thanks so much for posting about this SSO decentralized is probably all of our dreams. 😂

                                                                          1 Reply Last reply Reply Quote 1
                                                                          • Referenced by  infogulch infogulch 
                                                                          • First post
                                                                            Last post
                                                                          Powered by NodeBB