Feat: support OpenID authentication

[doncicuto]

Right now, you can only log in the console using a digital certificate. As OpenUEM uses a CA to generate digital certificates it's a coherent decision, however as some users have mentioned it'd great to use OpenID and provide different ID providers.

This issue will track the progress for OpenUEM integration with OpenID, but as OpenUEM doesn't re-invent the wheel, OpenUEM will delegate authentication (RBAC and authorization will be discussed in a different issue) to the following authentication providers:

• Keycloak
• Zitadel
• Authentik

Organizations may use these providers to authenticate users. If orgs don't have these providers they can use docker self-hosted versions or cloud based authentication (Zitadel Cloud).

[cyber-armor]

This is a great idea and will also increase the security posture since we can easily add multi factor authentication to the console.

[doncicuto]

Some repositories that we may use:

• https://github.com/Darkness4/auth-htmx

[stavros-k]

I'd like to suggest Authelia and pocket-id as alternatives (that might be easier to setup and test while developing this!)
Otherwise, if the above providers are supported, I dont see any reason that those 2 are not going to work aswell.

[doncicuto]

Thanks @stavros-k for your suggestion. As you mention once I get OpenID working there's no reason for not providing more alternatives.

[doncicuto]

Hi @stavros-k, it seems that I need to dedicate some time to launch an Authelia instance so I'm opening a new issue to support Authelia when I've more time. This project looks promising, but I find it "harder" to launch a testing instance compared to Authentik, Zitadel or Keyclock so that's why I've dropped it from this issue, I hope you understand

[stavros-k]

No worries, I'll probably be able to share a "demo" compose file in the next couple days. I'll share it in the dedicated ticket

[doncicuto]

Thanks @stavros-k, that compose file would help me a lot

[stavros-k]

Btw you dont need to support all providers, you just need a "generic" option.
For example Outline has these variables mentioned in this discussion
outline/outline#3478

Which should work with most (if not all) oidc providers

[doncicuto]

Yes, that's the idea and thanks for the example. While I'll use generic env variables or settings in the console, each provider has a different way to get the information that I need to create the accounts, so that's the trickier part but in any case things are going pretty well

[stavros-k]

When this lands with generic settings/vars, users with different providers can submit guides to the docs for them!

Usually there is also a "wellknown" endpoint for autoconfig (if that doesnt work you can let user do it manually (https://www.authelia.com/integration/openid-connect/introduction/#well-known-discovery-endpoints)

So if you have verified 2-3 providers, I'd consider "done" and with some user testing can handle edge cases + docs.