[FEATURE_REQUEST] support standard openId-connect for authentication

[maxisam]

Is your feature request related to a problem? If so, please describe.

Spining up a keycloak is really heavy. Dex is much light weight for most of use cases.

And OIDC/oAuth2 is a well known protocol. With this, you can use keycloak/AzureAd/Google/...

From architecture stand point, it makes more sense to support it.

Describe the solution you'd like

I think we can use a library like https://github.com/authts/oidc-client-ts to do this.

Priority

Medium (Would be very useful)

Is this something you would be keen to implement

Maybe

GitHub - authts/oidc-client-ts: OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications

OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications - GitHub - authts/oidc-client-ts: OpenID Connect (OIDC) and OAuth2 protocol support for browser-based Jav...

[liss-bot]

This issue has gone 6 weeks without an update. To keep the ticket open, please indicate that it is still relevant in a comment below. Otherwise it will be closed in 5 working days.

[ToshY]

Definitely still relevant 😄

[Lissy93]

/keep-open

[schewara]

I totally agree with @maxisam

Switching from Keycloak to a general oidc/oauth2 solution would allow out of the box integration of most Identity Providers out there, like Authentik, Authelia, ORY Hydra, Zitadel, WSO2, Okta, Auth0, many many more and of course Keycloak as well.

[hooray4me]

Agree!

[obsidiangroup]

This is a feature that I would love to see implemented. @Lissy93 has mentioned in other issues that integrating Authentik was not on the road-map, which is perfectly fine. You are correct, there are so many different solutions out there. But supporting a standard like OIDC or SAML would let the software not be dependent on any specific IDP. Unless you are using Keycloak for complete user management, then supporting OIDC/SAML should not be a major problem. Granted, I have not looked at any code.

[FieldofClay]

+1 for this feature.
Also, maybe header authentication could be implemented as a lower effort, similar value option? Have Dashy grab user/group info from headers, instead of internal authentication, then use the same configuration options to show/hide sections etc.

[sargonas]

as an authelia user, a +1 from me to, to simply these types of integrations via OIDC!

[joshp23]

I moved from Keycloak to Authentik and would very much appreciate a generic OIDC implementation.

[Ryamonster10]

Another +1 for OIDC connectivity. I use ADFS for all my services and it would be much easier to tie this directly into ADFS than what I am doing now which is this to key-cloak to ADFS.

[hdlineage]

+1 for this. OIDC support would make Dashy standout from the rest.

[appiekap653]

+1 for this. Generic standards like openID-connect or SAML or even header-authentication will make it usable with almost every idp+authentication platform you can imagine. No need to create code for every provider there is. only need to code it once with the support for those generic standards and you are done for all those providers.

[AutoGitr]

+1 once more. This would be an excellent improvement to Dashy and truly make it a modern dashboard.

[Itay1787]

+1 As an authentik user, is there currently a way to connect authentik?

[ToshY]

+1 As an authentik user, is there currently a way to connect authentik?

Not with Dashy directly, as there is currently no generic OIDC implementation.

_{You could however create an OAuth2 provider in Authentik and use oauth2-proxy instead.}

[Lockszmith-GH]

You could however create an OAuth2 provider in Authentik and use oauth2-proxy instead.

You'll need that with Authy maybe, but authentik has it's own proxy implementation, no need for another part.

The reason people want this here, is to be able to use SSO for different users, something the proxy doesn't solve. The proxy only provides an open/close gate.

[TheRealGramdalf]

Is this planned as part of v3? OIDC would be the cherry on top for this already amazing program.

[vgwizardx]

So if you are using Cloudflare Zero Trust Tunnels you can add SSO to Dashy and other selfhosted apps using this method. https://blog.wains.be/2023/2023-01-07-cloudflare-zero-trust-authentik/. I found this really easy to setup especially if you are already using tunnels.

Single Sign On with Authentik for your services behind Cloudflare zero trust

My notes about open source stuff.

[Ryamonster10]

That’s great, but it doesn’t provide per user permissions, just page protection, and you still have to deal with double authentication which means two passwords to keep up and you can’t only have some thing assigned to some people.

…

On Fri, Mar 1, 2024 at 15:27 Joseph Washington Jr ***@***.***> wrote: So if you are using Cloudflare Zero Trust Tunnels you can add SSO to Dashy and other selfhosted apps using this method. <https://blog.wains.be/2023/2023-01-07-cloudflare-zero-trust-authentik/> https://blog.wains.be/2023/2023-01-07-cloudflare-zero-trust-authentik/. I found this really easy to setup especially if you are already using tunnels. * Single Sign On with Authentik for your services behind Cloudflare zero trust <https://blog.wains.be/2023/2023-01-07-cloudflare-zero-trust-authentik/> * My notes about open source stuff. — Reply to this email directly, view it on GitHub <#823 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKXPDC42W4CIKHTIJA7ZU33YWDQDPAVCNFSM55BSDANKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJXGM4DMNZYGIYQ> . You are receiving this because you commented.Message ID: ***@***.***>

[vgwizardx]

That’s great, but it doesn’t provide per user permissions, just page protection, and you still have to deal with double authentication which means two passwords to keep up and you can’t only have some thing assigned to some people.
…
On Fri, Mar 1, 2024 at 15:27 Joseph Washington Jr @.> wrote: So if you are using Cloudflare Zero Trust Tunnels you can add SSO to Dashy and other selfhosted apps using this method. https://blog.wains.be/2023/2023-01-07-cloudflare-zero-trust-authentik/ https://blog.wains.be/2023/2023-01-07-cloudflare-zero-trust-authentik/. I found this really easy to setup especially if you are already using tunnels. * Single Sign On with Authentik for your services behind Cloudflare zero trust https://blog.wains.be/2023/2023-01-07-cloudflare-zero-trust-authentik/ * My notes about open source stuff. — Reply to this email directly, view it on GitHub <#823 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKXPDC42W4CIKHTIJA7ZU33YWDQDPAVCNFSM55BSDANKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJXGM4DMNZYGIYQ . You are receiving this because you commented.Message ID: @.>

No, it's not perfect, but I just set up one admin and a guest account. It would be nice to have everything. But hey, this is good enough for me for now.

Single Sign On with Authentik for your services behind Cloudflare zero trust

My notes about open source stuff.

Build software better, together

GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.

[vgwizardx]

So I was looking at Audiobookshelf and noticed they do have OIDC implementation. I might fork this and use their implementation as a guide to learn how to set it up on Dashy. I will update if I decided to give it a shot. Anyone else want to look into it. https://github.com/advplyr/audiobookshelf/blob/master/client/pages/config/authentication.vue

audiobookshelf/client/pages/config/authentication.vue at master · advplyr/audiobookshelf

Self-hosted audiobook and podcast server. Contribute to advplyr/audiobookshelf development by creating an account on GitHub.

[rxunique]

+1 I just went through the journey but hit a wall with keycloak group and role doesn't work in dashy as expected.

Wish there's authentik integration with per user permission via OIDC

[twsouthwick]

FYI - I got an implementation of it in #1573 that I'd appreciate any thoughts on :)

[Lissy93]

Thanks so much @twsouthwick
Looks awesome, merged!