Open deathbybandaid opened 1 year ago
Something like this would be nice but I have not had time to look into this yet.
Until we implement #882, though would not it just be simpler to set public=1
and have web server proxy every request through Authelia? Then ReaderForSelfoss could use HTTP basic auth.
- I think that the API could use some improvement, and all api calls be merged into the
/api
path.
That’s the plan, I just want to clean up the API first. For example, the current API often sends unnecessarily escaped or redundant data.
- I also think that the API could make use of a seperate API key that is a seperate entity from the username/password configuration settings.
That is tracked in #1045.
What's wrong with just generating a QR barcode on-the-fly and getting someone to scan it (you) with Google Authenticator, Microsoft Authenticator or Authy?
Do not know those specific apps but if you mean some variant of TOTP protocol, that is primarily meant as a second factor. Using it as the sole authentication method is IMO more hassle than using a fixed password. And it requires a smartphone or a similar device, which is annoying.
And the main issue is that selfoss does not currently support it so it is in the same boat as Authelia.
I've got several self-hosted applications that use authelia as a frontend authentication method. https://github.com/authelia/authelia
Authelia allows you to use SSO/2fa credentials in front of many appications.
Using apache/nginx as a frontend, you can set
auth_request
to proxy through authelia, which handles valid/invalid credentials.Authelia works great as a web frontend for selfoss, but not so much for interfacing with ReaderForSelfoss, as the API doesn't seem to operate out of a single
/api
path./api
path.Doing the above would allow for authelia/keycloak/authentik/etc to handle web-based authentication, with selfoss still handling api authentication. Another possible perk would be a future QR code in the settings page for ReaderForSelfoss to utilize for easier connections.
Additionally, this would also take care of #848 as Authelia can connect to LDAP as a backend.