hackclub / nest

Free, powerful, and versatile compute infrastructure for all high school hackers!
https://hackclub.app
MIT License
55 stars 11 forks source link

Allow the creation of Authentik OAuth apps via the Nest CLI #57

Open DaInfLoop opened 3 months ago

DaInfLoop commented 3 months ago

Currently, the only way to authenticate a Nest user is via https://oauth.hackclub.app/, which has been down for a while.

A suggestion was made in #nest-meta to allow users to create and manage OAuth applications via the Nest CLI by using the Authentik API.

Firepup6500 commented 3 months ago

https://git.hackclub.app/ seems to go through https://identity.hackclub.app

DaInfLoop commented 3 months ago

https://git.hackclub.app/ is hosted by the Nest Admins, so they can create the OAuth app themselves.

polypixeldev commented 3 months ago

After discussion with @hello-smile6, we've decided that it's better not to create a CLI tool to automatically interface with Authentik to create OAuth apps, as it could easily be abused as well as make it difficult for admins to manage Authentik.

Unless a better suggestion is made, what will most likely happen is that oauth.hackclub.app will be fixed and improved so that there is a good way to create OAuth apps on Nest that is isolated from Nest's internal apps and configuration.

DaInfLoop commented 3 months ago

I think the main reason that took the suggestion to add it to the Nest CLI was the fact that it didn't want to have admin intervention, but now that I think of it, oauth.hackclub.app requires an admin (which I'm pretty sure is just @aboutdavid) to review your app before you're allowed to actually use OAuth.

In that case, why not do the same thing for Authentik OAuth apps? If removing the form to create the apps was an idea, that has the same risks as using the CLI to create the apps.

polypixeldev commented 3 months ago

I hadn't thought fully through the implication of an automated system that didn't require admin intervention before, I think it makes sense to have a system that requires communication with the admins and approval to avoid confusion & misuse

hello-smile6 commented 1 month ago

Could we maybe do manual configuration of authentik on a per-case basis with a slack workflow that creates a private slack channel with a user + nest admins for discussing oauth app setup?

polypixeldev commented 1 month ago

Could we use Authentik's access control to allow users to configure settings like the client secret and redirect URIs in Authentik themselves?

dispherical commented 2 weeks ago

I might take this up