Open yunohost-bot opened 7 years ago
Interesting. I know we can also use openID for that and persona was also a way to do that, sadly those technologies aren't used anymore :(
perhaps there are new identity provider technology now that deserve to be considered?
From the top of my head
This could also be used to centralize/unify the login-experience on a single Yunohost instance.
Just adding some googling and thoughts:
If needed, there's a pure Lua solution: OpenID Connect implementation in Lua : https://github.com/zmartzone/lua-resty-openidc
But we could also go (and I think that's what's best) for hybrid SSOWat + web user portal in VueJS / Python:
We could for example imagine that we:
Repos of potential interest:
During the chatons camps, i had a demonstration about authelia and it seems it could replace a part of SSOwat, so we could imagine the current SSOWat to be replace by: the yunohost user api, the portal and authelia.
Agreed. Authelia can be nicely integrated within YunoHost and make the SSO experience better, more stable and somewhat safer.
There was some discussion here about Authelia, in #2051 about Dex, but other alternatives can be considered. Let's start a comparison table:
Name | Debian package | Architectures | Backend | Frontend | Groups/permissions | nginx ACL | Password reset |
---|---|---|---|---|---|---|---|
Authelia | external repo | amd64,arm64,armhf | LDAP | HTTP headers, OpenID Connect | yes | yes | yes |
Dex | no | ? | HTTP headers | LDAP | OpenID Connect | Only one group for HTTP backend | no |
Kanidm | external repo | amd64,arm64 (with modern instructions) | Own database, LDAP | OpenID Connect, LDAP | yes | not directly | yes |
Glewlwyd | yes | amd64,arm64,armhf and more | Own database, LDAP, HTTP headers readonly | OpenID Connect | no? | no? | yes |
From a quick look at the features, it looks like Authelia is the best candidate so far.
This issue is about Yunohost as OpenID Connect (or other protocol) identity provider. For discussion about replacing SSOWat entirely, please head over to #2240
Kanidm has a pretty amazing performance. I personally use it in some of my projects (small and huge ones) and it's working pretty nicely. It's also worth a look.
For completeness sake: Shibboleth IDP (often used in education) is another option.
@hex-m I heard good things about Shibboleth but i've always found the documentation lacking. Maybe i just don't know where to look. I've added it to the comparison table in #2240 because i think it's a completely identity management solution and not just an OpenID Connect provider, but i left a lot of "?" in the table because i couldn't find the information.
Feel free to comment with more information and links to a complete admin guide and architectural overview.
There are this library which could be useful to implement this https://github.com/IdentityPython/pyop or this one https://github.com/CZ-NIC/pyoidc
And I confirm that more and more app will need it. And yes synapse will need it.
Original Redmine Issue: 676
Author Name: Scith
Hello, What do you think of the idea of making YunoHost an identity provider? When websites allows "signing in with..." decentralized identities, then one's YNH account could be used as such identity. Practically however, I don't think which technology would be the most appropriate, and whether this should be in an app or in core.
I know there is SimpleSamlPHP already packaged: https://github.com/julienmalik/openid-simplesamlphp_ynh This is a great software but perhaps there are new identity provider technology now that deserve to be considered (OAut##..) ?
What do you think?