Explore self-hosted OAuth provider

[billimek]

The Auth0 implementation is cloud-based and I want to see something self-hosted that will work better in 'offline' scenarios.

[echel0n]

KeyCloak has offline tokens and can be self-hosted.

[billimek]

Thanks @echel0n! Will take a look at the helm chart.

[billimek]

Some references:

• https://github.com/ibuetler/docker-keycloak-traefik-workshop
• Authentication middleware traefik/traefik#593

[billimek]

See also authelia: repo: https://github.com/clems4ever/authelia

[echel0n]

Keycloak is scalable as well but takes a bit to get that setup, never tried Authelia but looks interesting, I just know when it comes to open source IDPs Keycloak seems to always come up and its easier to find info with integration.

[echel0n]

Another option would be auth0.com, they offer 100% free wide-open service for open source projects as well, it would be hosted by them but in the case of auth that might not be a bad thing if you want to avoid downtime due to an outage depending on how you hook into the IDP.

[blackjid]

Would ouath2_proxy be an alternative to cover this need?? https://github.com/pusher/oauth2_proxy

[echel0n]

Keycloak also allows using 3rd party IDPs to auth against such as google and AWS, its really a matter of do you want to be you're own IDP or do you want to just proxy the requests.

[billimek]

If sticking with cloud-based (Auth0), now that nginx is being used, will likely deploy something like:

• oauth2-proxy helm chart
• configure oauth2-proxy to leverage auth0 with something like this example
• annotate ingress objects with something like,

nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start?rd=/redirect/$http_host$request_uri"

[billimek]

Deployed oauth2-proxy configured to use auth0: https://github.com/billimek/k8s-gitops/tree/master/kube-system/oauth2-proxy

[carpenike]

I’m in the process of moving to KeyCloak with a sidecar injector for KeyCloak-Gateway (Stakater). So far it’s looking promising. Allows for 100% on prem federated logins.

Only negative I’ve found thus far is that the sidecar injector requires Deployment annotations. Most of the available helm charts don’t allow for specifying deployment annotations OOB.

[billimek]

Interesting, you need to run keycloak sidecards on all of the target workloads doing auth? I was hoping it could be used as a 'central' replacement for something like auth0.

[carpenike]

Keycloak would be run as the central Auth0 replacement. Sidecars are functionally replacing them NGINX annotations that forward the client to oauth proxy for Auth. Also allows for a bit more granularity in rules. For instance, on Sonarr/Radar I can have the /api path allowed without Auth because it’s protected by API keys but require everything else be authd first.

Sidecars are also workload configurable. For services like Grafana which can directly federate with oauth providers I don’t deploy a sidecar.

[billimek]

Also take a look at https://github.com/travisghansen/external-auth-server

[blackjid]

That looks great

…

On Sat, Jan 16, 2021, 10:14 AM Jeff Billimek ***@***.***> wrote: Also take a look at https://github.com/travisghansen/external-auth-server — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#36 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABXVRIQFEWQRTNNMUGCBWLS2GGM5ANCNFSM4HPWVZ6Q> .

[echel0n]

I would suggest using bitnami's gatekeeper helm chart instead, more up to date I found, even their helm chart is decent for keycloak as well.

I've also got keycloak + kube apiserver dialed in so I can use it to protect the kubernetes dashboard ;)

As far as how I use gatekeeper, I just have it handle the ingress and then pass to the protected app's service, so just an extra yaml, but works.

[carpenike]

I would suggest using bitnami's gatekeeper helm chart instead, more up to date I found, even their helm chart is decent for keycloak as well.

I've also got keycloak + kube apiserver dialed in so I can use it to protect the kubernetes dashboard ;)

As far as how I use gatekeeper, I just have it handle the ingress and then pass to the protected app's service, so just an extra yaml, but works.

@echel0n -- any chance your config is public?

[echel0n]

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gatekeeper
  namespace: transmission
  labels:
    app: gatekeeper
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gatekeeper
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: gatekeeper
    spec:
      containers:
        - name: gatekeeper
          image: bitnami/keycloak-gatekeeper:10.0.0
          envFrom:
          - secretRef:
              name: transmission-gatekeeper-env           
          ports:
            - containerPort: 3000
          args:
            - /keycloak-gatekeeper
            - --discovery-url=https://auth.something.ca/auth/realms/something
            - --upstream-url=http://transmission.transmission:9091
            - --listen=0.0.0.0:3000
            - --client-id=$(CLIENT_ID)
            - --client-secret=$(CLIENT_SECRET)
            - --enable-refresh-tokens=true
            - --enable-session-cookies=true
            - --secure-cookie=true
            - --encryption-key=$(ENCRYPTION_KEY)
            - --enable-default-deny=true
            - --verbose
            - --enable-logging
            - --resources=uri=/*
            - --oauth-uri=/transmission/oauth            
---
kind: Service
apiVersion: v1
metadata:
  name: gatekeeper
  namespace: transmission
  labels:
    app: gatekeeper
spec:
  ports:
  - port: 3000
    targetPort: 3000
  selector:
    app: gatekeeper
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gatekeeper
  namespace: transmission
  labels:
    app: gatekeeper
  annotations:
    kubernetes.io/ingress.class: nginx   
spec:
  tls:
  - hosts:
    - something.ca
    secretName: something-ca-tls
  - hosts:
    - something.lan
    secretName: something-lan-tls    
  rules:
  - host: something.ca
    http:
      paths:
      - path: /transmission
        pathType: Prefix
        backend:
          service:
            name: gatekeeper
            port:
              number: 3000 

[runningman84]

This also looks good
https://www.authelia.com/

[billimek]

See also https://github.com/ory/kratos

[hsluoyz]

Hi @billimek I am from Casbin team and we have a central authentication project called Casdoor: https://casdoor.org/ . Casdoor is itself an OAuth provider, also as well as an integrator of other OAuth providers like GitHub, Google, etc. It also supports SMS, Email logins. It contains a full-fledged web UI but it can also run in "headless" mode. It's developed in Go. And it integrates well with Casbin. You can build it from source (just type in go run main.go) or use our Docker image: https://hub.docker.com/r/casbin/casdoor . You can see the live demo here: https://door.casbin.com/ . Let me know if you have any questions :)

[billimek]

This is no longer needed - I moved nearly all ingress objects behind tailscale and rely on membership in the tailnet instead of an IDP via an oauth2 proxy service. The remaining truly external ingresses wouldn't work with an authentication proxy anyway.