Alovoa / alovoa

Free and open-source dating platform that respects your privacy
https://alovoa.com
GNU Affero General Public License v3.0
486 stars 103 forks source link

OpenID/OAuth2 Servers Should Be Fully Configurable #291

Open ip6li opened 1 year ago

ip6li commented 1 year ago

Is your feature request related to a problem? Please describe.

Feature should support other OpenID/OAuth2 platforms than Google and Facebook. Some changes allow usage of a private Keycloak server.

Describe the solution you'd like See this Fork. This solution uses Keycloak as OAuth2/OIDC identity provider (IDP) which has many advantages regarding local SQL based auth solution. Keycloak allows many AuthN/AuthZ backends and support multi factor authentication.

Describe alternatives you've considered First try was to extend Alovoa OAuth2 implementation for Keycloak as alternative for Google and Facebook auth. Better solution is to let OAuth2 also do authorization with e.g. Keycloak group assignment. This solution as advantage that no admin password needed to be configured in application.properties.

Next Steps Fork mentioned above will remove local authentication completely. Documentation will be added for configuration of Keycloak including realm alovoa with one or two admin users which are disabled by default. Keycloak admin ahs to install JSON, change password for at least one admin and then enable that admin.

ip6li commented 1 year ago

Alovoa has too tight dependencies of 3rd party services for authentication (AuthN). Keycloak as oidc provider seems to be a better choice so Alovoa should AuthN/Z by Keycloak and Keycloak may be configured for any 3rd party IDP.

Alovoa admins can be forced to use multi factor AuthN by Keycloak, e.g. client certificate on smartcard or FIDO2 on Yubikey.

Of course any other oidc provider can be used also.

ip6li commented 3 months ago

PoC can be provided