Add OpenID Connect support using Dex

YunoHost / issues

General issue tracker for the YunoHost project

72 stars 8 forks source link

Add OpenID Connect support using Dex #2051

Open navanchauhan opened 2 years ago

navanchauhan commented 2 years ago

A lot of apps do not support using LDAP for authentication, but a lot of newer apps do support login via OpenID Connect. I propose we add a helper / support for Dex a service that can tap into YunoHost's LDAP using a connector and provide these apps with the correct tokens.

Example

Outline is a software that requires social login (Slack/Google/ any other OIDC login), this package by Limezy downloads the Dex package and integrates it with outline so users can use their YunoHost credentials to login to the app.

Proposal

I propose the following features:

Dex helper which can create a new OpenID connect adapter for the apps
Reserving a part of the url for installing the Dex app (/yunohost/dex/__APP__)

navanchauhan commented 2 years ago

Example config: https://github.com/dexidp/dex/blob/master/examples/config-dev.yaml

We can either have multiple instances of Dex and bind each app to a dev instance using the configuration file, or someone will have to figure out the gRPC API that Dex exposes: https://dexidp.io/docs/api/

edit: I was wrong. We would only need one instance as you can have multiple clients

staticClients:
- id: example-app
  redirectURIs:
  - 'http://127.0.0.1:5555/callback'
  name: 'Example App'
  secret: ZXhhbXBsZS1hcHAtc2VjcmV0
#  - id: example-device-client
#    redirectURIs:
#      - /device/callback
#    name: 'Static Client for Device Flow'
#    public: true

ketsapiwiq commented 2 years ago

Although it seems to be well-supported, I think choosing to rely on Dex instead of any other solution (like integrating a lighter Open ID Connect implem close to the technologies already in use in YunoHost like Python 3 and VueJS) would probably mean close coupling with Dex's architecture, which is a big thing we might not want.

Careful, for the OIDC feature, there's already https://github.com/YunoHost/issues/issues/1892 and https://github.com/YunoHost/issues/issues/676.

ketsapiwiq commented 2 years ago

And I'd add that, if we want to consider a new piece of software such as Dex, we might want to integrate a more complete alternative such as Keycloak (and maybe make it optional?).

navanchauhan commented 2 years ago

Using something like Authelia/KeyCloak will increase the amount of complexity for the end-user. But, integrating a new software, and exposing it as a helper to other app packagers would mean it will be a safer option.

For now, once I setup my dev environment, I would still like to go ahead with a proof of concept.

The reason I believe the two issues are different from this one is because they primarily aim to open up YunoHost as an Identity Provider, whereas this issue suggests to using the LDAP server and connecting it for existing apps using OIDC. Although the technical challenges might be the same, the end-use case differs in my opinion

selfhoster1312 commented 1 year ago

I propose to close this issue in favor of #676.