search

Phalcode / gamevault-backend

Backend for the self-hosted gaming platform for drm-free games
https://gamevau.lt
Other
220 stars 19 forks source link

Support for SSO #6

Open Sapd opened 1 year ago

Sapd commented 1 year ago

Cool Project :)

I want to suggest that you also support SSO for user registration and authentication. It gets more and more popular in stacks like Jellyfin (via Plugin), Jellyseerr, *arr, Portainer, Nextcloud etc. People often use Authentik, Authelia or Keycloak as software.

A standard - but probably complicated - way of implementing that would be OpenID.

An easy way is to leverage a Proxy Provider. Using Header authentficiation: https://goauthentik.io/docs/providers/proxy/header_authentication Or better, Forward auth: https://goauthentik.io/docs/providers/proxy/server_nginx With forward auth, authentik will redirect a request to its login page if not authenticated. Your app would have to open up a browser window and save the returned auth cookie, and send this cookie in further requests. When authentificated (via cookie) authentik will send a header with the username to the backend.

Overall, this makes user management of self-hosted apps much easier, especially when having many applications that are shared within the family.

lenaxia commented 1 year ago

Agreed with this. A minimal proposal could be implementing a simple "import from ldap" feature to be manually run or automatically run on a schedule which would populate the internal user table.

A more thorough implementation would be oidc. Or a simpler would be forward auth.

Alfagun74 commented 1 year ago

It's cool. I'd love to see a PR here since I don't use such a service and wouldn't know how to incorporate them into the existing auth system without thorough research.

gregistech commented 4 months ago

Agreed with this. A minimal proposal could be implementing a simple "import from ldap" feature to be manually run or automatically run on a schedule which would populate the internal user table.

A more thorough implementation would be oidc. Or a simpler would be forward auth.

OIDC/Oauth2 would allow anything with the proper provider(s).

DDriggs00 commented 1 month ago

I believe that Forward Authentication is a non-viable solution, since this application relies on client apps. As for which solution would be better, I otherwise agree with the consensus, in that OIDC/Oauth2 would be the preferable option, with LDAP remaining a potentially easier solution.