search

jointakahe / takahe

An ActivityPub/Fediverse server
BSD 3-Clause "New" or "Revised" License
1.12k stars 86 forks source link

Authentication to Takahe using OIDC #314

Open tobru opened 1 year ago

tobru commented 1 year ago

It would be cool if it were possible to authenticate to Takahe using OIDC, for example leveraging Keycloak for that or any other service providing SSO services.

andrewgodwin commented 1 year ago

It would be nice! I don't imagine it will be on the roadmap before 1.0, but I'll take it as a future feature request.

tacerus commented 1 year ago

Hi,

just sharing here in case it is helpful for anyone, we use Takahe with Keycloak using SAML. Whilst there is no official support, it is fairly easy as with any generic Django application. I assume OIDC would work equally well, possibly even easier.

Here are the relevant parts in our settings.py - the biggest chunk is mostly SAML related fine tuning:

LOGIN_URL = "/saml2/login/"
LOGOUT_URL = "/auth/logout/"
MIDDLEWARE = [
    "djangosaml2.middleware.SamlSessionMiddleware",
]
AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',
    'djangosaml2.backends.Saml2Backend',
)
SAML_CONFIG = {
  'xmlsec_binary': '/usr/bin/xmlsec1',
  'entityid': 'https://example.com/saml2/metadata/',
  'attribute_map_dir': os.path.join(BASE_DIR, 'attribute-maps'),
  'allow_unknown_attributes': False,
  'service': {
      'sp' : {
          'name': 'Takahe',
          'name_id_format': saml2.saml.NAMEID_FORMAT_PERSISTENT,

          'endpoints': {
              'assertion_consumer_service': [
                  ('https://example.com/saml2/acs/',
                   saml2.BINDING_HTTP_POST),
                  ],
              'single_logout_service': [
                  ('https://example.com/saml2/ls/',
                   saml2.BINDING_HTTP_REDIRECT),
                  ('https://example.com/saml2/ls/post',
                   saml2.BINDING_HTTP_POST),
                  ],
              },
          'signing_algorithm':  saml2.xmldsig.SIG_RSA_SHA256,
          'digest_algorithm':  saml2.xmldsig.DIGEST_SHA256,
          'force_authn': False,
          'name_id_format_allow_create': False,
          'required_attributes': ['email'],
          'want_response_signed': True,
          'authn_requests_signed': True,
          'logout_requests_signed': True,
          'want_assertions_signed': True,
          'only_use_keys_in_metadata': True,
          'allow_unsolicited': False,
  },
  },
  'metadata': {
      'remote': [{"url": "https://libsso.net/realms/LibertaCasa/protocol/saml/descriptor"},],
   },

  'debug': 0,

  'key_file': '/etc/ssl/takahe/saml.key',
  'cert_file': '/etc/ssl/takahe/saml.crt',

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'handlers': {
        'console': {
            'class': 'logging.StreamHandler',
        },
    },
    'root': {
        'handlers': ['console'],
        'level': 'INFO',
    },
}
andrewgodwin commented 1 year ago

Oh nice, thanks for that! Certainly helps things while I get around to adding it in centrally (which won't be for a bit, there's other bigger things to add!)