Authelia Integration #389
Comments
|
Unfortunately this is not possible at the moment and I do not see a simple way to add it. The app is not prepared for SSO. Sharing link also creates a guest user with restricted access to the gallery. I think it would be challenging to set that part up. |
|
Hi - its been a while and I finally taken the plunge and trying to implement this feature. Note I have zero previous Typescript2 experience so bear with me. So far added 3 new configuration items
I think I have this working mostly, where if its enabled, then it will check the configured header for the user and does a lookup in the PG2 users for a matching user (a pre-requisite to have the user configured in pg2). Anyway, I am struggling with the logout - when a user clicks Logout from the menu, that calls the backend logout and I can see you delete the user object from the session. I would also like to (if configured) redirect the whole browser window to the configured logout URL. I have tried res.redirect(URL) but this does not work as the menu item does not expect the return and redirect the window.location.href. Do you have any tips or pointers how I can redirect the whole frame to the external URL to logout after calling PG2 logout? |
|
A q first: Would you like to push this change back to the main codebase or you are setting this up for your own use-case? For the implementation question: I would use only a single source of through for being logged in. In this case authelia. So I would make sure that the logout button logs out the user from there (i.e.: replacing the logout button to log users out there). Disclaimer: I do not know authelia and never implemented SSO. |
|
I am doing this to fit my use case and I expect this same feature would be useful for other people who self host and obtain a Single Sign On solution. So was hoping to push this back via a pull request and see if you would review integrate if possible if you wish as its your app, your branch and your choice (one of the great things about open source). I am happy to wait until this new extension support before completing. As to the implementation
With respect to your extension changes - does this include 'standardising' or simplifying the URL's of resources for PG. I ask as for adding an external authentication mechanism you would need to specify URL's which do not need protection and URL's that do. For example for sharing an album in PG2, you would want the authentication mechanism to ignore authentication for those resources, otherwise any attempt to access any other album/resource would trigger the authenticator to check for permissions before either blocking or allowing. |
|
On the extension question: yes I plan to add some simplified way to add REST endpoints with authentication. About the orginal request: I was playing around with selfhosted stuff and read a bit (very little) about authelia.
I started using Nginx proxy manager front of my pigallery2 and authelia supports it: https://www.authelia.com/integration/proxies/nginx-proxy-manager/ |
|
One of the great features I love in PG2 is the ability to share an album. Quite often I have galleries of events for external people I like to share with. A simple obfuscated link and password in PG2 works great for this. Turning off authentication in PG2 disables this brilliant feature. I use traefik (takes more fiddling to set up but handles SSL Lets Encrypt certs simply when set up and I don't need to manage it ongoing). The reasons I was trying to integrate a external header for the user id to pass through are Unfortunately 2.0 of PG2 has broken album sharing with a password (see #744). Its not the end of the world if it isn't supported as I can work around this by simply keeping the main personal PG2 gallery as is and spin up another instance of PG2 on a different domain with a single album and login managed by authelia or PG2. |
Good point its indeed good reason. |
I self host a bunch of services including pigallery2, and utilise Authelia for SSO. Is there any intention of integrating with something like Authelia? Authelia provides authentication services for services, and only after authentication will it allow requests through to back end web services. This stops the 'double login' when a user has to login pass Authelia, then a login for pigallery2. I know you can turn off authentication to pigallery2 but you need this for album sharing.
Would a possible solution be to allow Authelia to pass the user via a header of 'Remote-User' - if this matches a registered pigallery2 user, assume this is 'authenticated'? This will possible also allow other similar services such as Authelia to integrate, but I only know of Authelia as that is what I am using.
The text was updated successfully, but these errors were encountered: