search

danielbrendel / hortusfox-web

Self-hosted collaborative plant management system for your local environment
https://hortusfox.github.io
MIT License
587 stars 32 forks source link

External authentication #143

Open flisk opened 5 months ago

flisk commented 5 months ago

Is there any interest/plan to implement external authentication mechanisms (something like LDAP or OpenID), or is that out of scope?

danielbrendel commented 5 months ago

This was suggested by someone on Reddit before. Might take a while at least for LDAP because first I'd have to setup a domain controller environment to test this. I'd rather go with OpenID here because this does better fit the philosophy of the opensource and selfhosted software.

modem7 commented 5 months ago

OpenID would definitely be useful, especially when pairing with Authentik/Keycloak etc.

disconn3ct commented 5 months ago

+1 for OpenID, but the fastest/easiest might be upstream authentication headers. The header names should be configurable, and admins just plug in whatever their ingress/proxy/whatever sends.

There is a decent writeup about that method on authentik's page. By default, they use X-authentik-* with username, email, uid, groups, etc all provided automatically.

From a security standpoint, it must be behind a proxy if the headers are accepted. Otherwise an attacker could provide false account information. (Many implementations have a whitelist of proxies, using IP or CIDR, and then reject auth headers from anywhere else.)

FSchiltz commented 4 months ago

Proxy auth would be nice to have if it's not possible to disable authentication completly. Because for my use case, the plants are in the house, so I just need the dashboard to be open to anyone in the home.