User Management: OpenID support (or SAML)

[olivierlambert]

That would be cool to get login working via an OpenID provider (using SSO in short, with Keycloak for example).

I know that keycloak-js can do it (https://www.keycloak.org/securing-apps/vue is a complete walk-through), or even https://www.npmjs.com/package/vue-oidc-client as a more generic one. There's also https://github.com/openid/AppAuth-JS

I'm not fluent enough in Vue, but I can do the tests for you on a dedicated branch if you like :+1:

[eldiaboloz]

Not exactly what you want, but if you put the service behind oauth2-proxy and then disable auth in uptime-kuma, you can integrate with keycloak and all other oauth2 providers that oauth2-proxy supports. This will become a problem if there is support for more than one user in the future, but for now works great.

[olivierlambert]

Thanks! That's interesting but I'd like to have the status page public, and be able to login for the dashboard (as now, but with Oauth).

Is that doable with oauth2-proxy?

[eldiaboloz]

Yes it is possible - the authetication is done in keycloak only. You need to set only which group from keycloak has access OAUTH2_PROXY_KEYCLOAK_GROUPS: /some-group For the public status page you need to allow some urls: OAUTH2_PROXY_SKIP_AUTH_REGEX=(/status|/assets/.*|/icon.svg) Here is more documentation on using keycloak provider in oauth2-proxy There is a little difference if you use env variables ( via docker ) or cfg file

[jack1902]

another alternative would be to use something like https://github.com/pomerium/pomerium (there are a few but this is one i have used in the past)

[olivierlambert]

FYI @eldiaboloz it works with this solution for now. Even if I'd like "real" OpenID integration, this is enough for my use case :+1:

[oussjarrousse]

I think adding SSO integration (OAuth or SAML) would make this APP much more interesting for small businesses and small organisations, who already have a weak IT-department and trouble managing credentials...

[Maven35]

+1 i am looking for SSO integration at least either OIDC or SAML since I run keycloak in my environment

[Daemonslayer2048]

If it matters at all, I also would find (basic) SAML or OIDC support useful

[xgaia]

I'm interested to the openID support to, and I'm interested to implement the functionality. @louislam , do you accept PR for this ?

[maxulm]

FYI @eldiaboloz it works with this solution for now. Even if I'd like "real" OpenID integration, this is enough for my use case 👍

could you please post the relevant part of your docker-compose-file? I always get a 404 of the oauth2-proxy.

[olivierlambert]

I'm not using Docker at all.

[maxulm]

I'm not using Docker at all. Thanks! Maybe @eldiaboloz has a hint?

[eldiaboloz]

@maxulm Here is my working example with cleaned up "secrets" and my domain name.

I think i ended using cfg instead of .env because the skip_auth_routes needs to be an array and the regex was getting too complex to read

[maxulm]

@maxulm Here is my working example with cleaned up "secrets" and my domain name.

I think i ended using cfg instead of .env because the skip_auth_routes needs to be an array and the regex was getting too complex to read

Thanks a lot!

[marekful]

Hey @louislam how you going,

How would you receive a PR adding a basic OIDC login mechanism? (Similar to this one.)

Just a minimal integration whereby following a successful authentication with an Identity Provider, Uptime Kuma would check if there is an existing user in its system with a username matching the one extracted from the ID token issued by the IdP and log the user in to that account. This could be done using openid-client in under 500 lines of code in a day or two.

FYI @olivierlambert

[Lanhild]

Uptime Kuma being a really great FOSS status service watcher (emphasizing on the "FOSS" as most status page providers make you pay ridiculous fees for the service it is), OIDC support would be greatly appreciated

[cwchristerw]

Related to #21 #2280

[CommanderStorm]

Related to #2280

Not related to #2280, but an offshoot of https://github.com/louislam/uptime-kuma/issues/128: Said issue being the one which goes into detail what systems need to be changed how to allow multiple users. PRs doing part of the work are appreciated.

The change suggested by @marekful seems quite daunting and really hard to implement+review. Any PR in this field has to be:

• small enough to review easily (otherwise stuff slips past, which is bad in auth)
• include tests that verify the behaviour

[CrimsonFez]

A simple implementation with oidc-client-ts could achieve the same result as using ouath2-proxy. I don't think user management would have to be a thing, just check if the user has a configured group or role. All user management happens in the oidc provider.

[VladoPortos]

Yea the implementation of OIDC would be huge bonus for this app. Same as many we run keycloak to access everything and I would be super happy if we got just verification, yes this use is in this group he can log in... does not have to support full user management in app. and Log out button to work ( people tend to forgot it :D )

[sniff122]

Been thinking about deploying this at work to provide some monitoring for our developers of services and having oauth2 would be SO much easier to handle. Something like an allowed domains thing too so then we can restrict which email domains can log in

[PurseChicken]

+1000