SSO / oidc support - Githubissues

etesync / server

The Etebase server (so you can run your own)

https://www.etesync.com

GNU Affero General Public License v3.0

1.56k stars 76 forks source link

SSO / oidc support #188

Open parisni opened 1 month ago

parisni commented 1 month ago

Not sure the feature already exists thanks to django framework server

lfuerderer commented 1 month ago

There is a core problem with SSO.

When using password authentication, the encryption key is derived from the password. With SSO, I see no sensible way to derive an encryption key.

Maybe you have an idea how to solve this problem, otherwise I think SSO is just infeasible for EteSync.

parisni commented 1 month ago

No strong confidence on the below naive approach, happy to have your thought

Map the password to a given attribute in the SSO payload, let's say now encryption derive from etesync_key attribute managed by the provider
On the provider side, encrypt/decrypt etesync_key with the user password, and pass it to etesync as a payload. Sounds like possible w/ keyckoak

This means on etesync side there is no complexity, the risky part is delegated to the provider.

tasn commented 1 month ago

You can do SSO for the user provisioning and authentication (I'm pretty sure we support SAML already? Not sure) though the encryption key will have to be separate.

The main problem though is that we would need to also implement this across all of the clients, and I think the added benefit is minimal.