Allow external authentication?

[dcode]

I've been looking around for a Reddit-like option for a self-hosted application. Lemmy looks like a great opportunity for what I need, especially with the RSS feeds.

That said, I need to be able to authenticate to an external resource so I can use the reverse proxy sitting in front of Lemmy to completely restrict access to the site until a user has authenticated with our SSO platform (could be JWT, OpenID, SAML, Basic Auth, whatev).

I think there's a couple of ways to implement this, but I'm not (yet) a Rust developer or I'd hack it in and do a PR.

1. The simplest would be to allow a trusted header that would be set by the reverse proxy with the authenticated user ID (probably email address, but maybe username). The login process of lemmy would check if this header is set, and if so authenticate and set the jwt cookie appropriately.

2. The reverse proxy could use middleware to authenticate the user and set a jwt token as an authorization header or maybe in the jwt cookie. Lemmy could check these two locations for a valid jwt token and authenticate the session, populating the rest of the cookie. This of course would mean that the jwt secret would be shared between the middleware and lemmy, allowing the signatures to validate.

Thanks for the consideration!

[dessalines]

I'm sure some other people could chime in, because I don't know how the middle layer would function. But the easiest way would be to use the http API, and create a user with the correct user / pass, and it'll give you the auth / jwt token, which you can then pass to the user.

You might even be able to do the blocking with nginx, but I'm not too knowledgeable on how it would work. Lemmy itself uses no headers, just a single jwt / auth string, and all authenticated requests require the auth token which the front end pulls from your cookies.

[nikhiljha]

Using SAML/OAuth/OpenID as an authentication mechanism and then issuing a token from Lemmy's side would be great too. This is how most apps I've deployed work. Alternatively, (a) requiring email confirmation and (b) requiring emails to be email@org.tld would work for a lot of orgs.

[dessalines]

I don't have time for this one in the near future, but if anyone wants to have a go at it, go right ahead.

[poVoq]

Oauth2 / OpenID Connect is the way to go and would allow Lemmy to link to account providers like Gitea or Nextcloud easily.

There are some nice rust client libraries for it too.

[ccoenen]

@dessalines would you still be open to contributions regarding OAuth?

[dessalines]

Of course, I just personally don't have time to do them.

[decentral1se]

If anyone makes a start at implementing this I'd glady support with testing it!

[mogui]

Hi guys, I'll gladly help with this, since i need it bad.
But I don't know where to start to implement it. From what I see in the code there is no a central place where auth is managed. Can someone point me out how could it be achieved?

[dessalines]

Check out the get_local_user_from_jwt function for reading the auth from the requests, and the LocalUser::register function for creating users.

[mogui]

Thanks!
Ok to get user from request, but the point with an Oauth flow is that user are NOT registered, the entire login flow should change.
going to login endpoint should redirect to the oauth provider. I think this is a cross work with the UI?

[dessalines]

I'm not too familiar with oauth, but using a third party login still means that the first oauth request would have to create a lemmy account. No idea how that would work with registration applications and all that.

[mogui]

mmmh I've never implemented such a flow, I have to think about how to do it.
Lemmy won't work without a proper Lemmy account entity in db ?

[dessalines]

Correct. You need to have an account.

I think ppl are talking about two different things here.

• Implementing a Lemmy Oauth service, so that 3rd party apps can use that to get a JWT. IE for 3rd party lemmy apps.
• Using other 3rd party Oauth services like google or github to create an account and log in to lemmy.

[erlend-sh]

Prior art in Discourse: https://meta.discourse.org/t/setup-discourseconnect-official-single-sign-on-for-discourse-sso/13045

[dessalines]

Dupe of #2930 , #1368