Shared Authentication between Apps
-
@murgero said in Shared Authentication between Apps:
@briankb-0 Cloudron uses SSO (kind of, with LDAP) and the apps you listed should all be able to use that authentication. LDAP is shared on all apps that support it.,
Yes, indeed, however in such case all these users must be registered in the actual Cloudron instance first, and that could become nightmarish depending on the amount of users to be registered. Unless there exist a way to bulk register users on a CR instance.
-
@micmc said in Shared Authentication between Apps:
Unless there exist a way to bulk register users on a CR instance.
You can import users, see:
https://docs.cloudron.io/user-management/#import-usersAlso relevant to this thread:
https://docs.cloudron.io/user-management/#external-directory -
@briankb-0 said in Shared Authentication between Apps:
I would like to have one user/member database that handles authentication between the various apps.
Cloudron does that great with LDAP as @murgero mentioned.
I really think your simplest solution is to make Cloudron the one user/member database.
Saying that, I think this might also be another use case for a User Registration App or some other solution that lets people self-register on your Cloudron rather than Admins having to create or import them.
Here's my post about that from yonks about. I'd still love a simple way to allow for Open Registration on my Cloudron:
-
@jdaviescoates I'd much rather have a User Registration App as you described that using LDAP or even touching the user auth for cloudron itself.
-
@briankb-0 out of interest, may I ask why? I guess maybe just because Ghost doesn't have LDAP yet?
-
@jdaviescoates That's a good reason but more so I don't like the idea of sharing the authentication that controls the server or access to the server with any apps or a website's userbase.
-
@briankb-0 I'm no security expert, and perhaps I'm being security naive, but Cloudron users can't control nor access the server in any way really. They can only access the apps they have access to.
And I think because all the apps are in their own containers, even if they compromise one, my understanding is that they can't from within that container do anything anywhere else, see:
https://docs.cloudron.io/security/#app-isolation-and-sandboxingMore on Cloudron security here:
https://docs.cloudron.io/security/ -
@jdaviescoates I will read up on cloudron auth.
regardless Ghost is almost "locked down" for external auth. I don't know why but all of my research the past few days show the request for oAuth going back to before v1 and in v4.7 (as of today) they still don't support it fully or even officially. It's stupid.
They SHOULD turn their amazing blog engine into a full CMS with robust authentication, isolating auth so you can use it however you need. I read up on running Ghost as a "HEADLESS CMS" but that's not what I want it for, doing so requires you to handle all the front end and theming. To me that defeats the purpose of Ghost. But I'm still just beginning to understand Ghost and the other apps so maybe I will find a way.
-
@jdaviescoates Cloudron security sounds very well thought out and just what I need. I will continue to read and try to understand how to implement.
Does anyone know if Ghost support LDAP or is there a work around so Ghost will use Cloudron user auth?
-
@briankb-0 said in Shared Authentication between Apps:
Does anyone know if Ghost support LDAP
I just had a little search around and it doesn't seem it does
There was this https://github.com/TryGhost/passport-ghost but it's not been updated in years and is not just a read only archive
See also:
https://forum.ghost.org/t/sso-and-or-ldap-login-for-ghost/10016
https://forum.ghost.org/t/auth-via-ldap-or-oauth/1767
https://forum.ghost.org/t/put-ghost-behind-a-login/1433/3That last post made me think that perhaps Cloudron's ProxyAuth addon could be optionally added to Ghost and that could maybe work somehow (I'm not really sure how though, because you still wouldn't actually be logged into Ghost)
-
@jdaviescoates said in Shared Authentication between Apps:
@briankb-0 I'm no security expert, and perhaps I'm being security naive, but Cloudron users can't control nor access the server in any way really. They can only access the apps they have access to.
This is correct. Cloudron users do not have access to the server. With 'User' role, all one can do is to login to the dashboard, change their name/password and then click on apps to access. They can't configure or manage apps. Only 'Admin' role can manage apps.
'Owner' is "assumed" to have access to the server. There is no way to access the server from the dashboard though, neither do we have a mechanism to give 'Owner' access to the server. They have to have ssh keys (this is intentionally kept outside cloudron scope).
-
@briankb-0 said in Shared Authentication between Apps:
Does anyone know if Ghost support LDAP or is there a work around so Ghost will use Cloudron user auth?
From what I recall many years ago, they were not going to add LDAP. Maybe check in their forum (https://forum.ghost.org/) if that has changed.
-
@jdaviescoates said in Shared Authentication between Apps:
@micmc said in Shared Authentication between Apps:
Unless there exist a way to bulk register users on a CR instance.
You can import users, see:
https://docs.cloudron.io/user-management/#import-usersAlso relevant to this thread:
https://docs.cloudron.io/user-management/#external-directoryThere you go, thanks that's great!
-
@jdaviescoates said in Shared Authentication between Apps:
I'd still love a simple way to allow for Open Registration on my Cloudron:
I agree that would be great also.