Support for running NetBird without Auth0

[gaby]

Are there any plans to add basic support for running WireTrustee without Auth0? We are trying to find a solution for running a managed WireGuard Mesh in an airgap network, and having a requirement for Auth0 wouldn't work.

I think it would be very beneficial if WireTrustee had support for basic auth, even if it's just an Admin Account.

[braginini]

hi @gaby and thank you for the message. Could you please write us at hello@wiretrustee.com?

[braginini]

hi @gaby and thank you for the message. Could you please write us at hello@wiretrustee.com?

[lukasmrtvy]

@braginini what about supporting generic oidc provider via https://github.com/dexidp/dex ? ( you can still use auth0 as idp provider via dex )

[braginini]

@gaby @lukasmrtvy We are discussing a couple of options in this ticket: https://github.com/wiretrustee/wiretrustee-dashboard/issues/9

[gaby]

@gaby @lukasmrtvy We are discussing a couple of options in this ticket: wiretrustee/wiretrustee-dashboard#9

That still won't solve such a basic problem. All we need is an Admin Account. Almost every application out there comes with an admin account, we shouldn't need to run/install another service just to be able to login.

[jbenguira]

@gaby @lukasmrtvy We are discussing a couple of options in this ticket: wiretrustee/wiretrustee-dashboard#9

That still won't solve such a basic problem. All we need is an Admin Account. Almost every application out there comes with an admin account, we shouldn't need to run/install another service just to be able to login.

I Agree, even basic auth would be enough ... but Auth0 ... forcing peoples to create an account with them is the opposit of self hosted spirit

Please don't take my comment too negatively, I love what you did here, it's just spoiled by the Auth0 dependency

[pomazanbohdan]

I would like to turn off the authorization page in the management console altogether

I can add basic authorization to reverse proxy https://doc.traefik.io/traefik/v2.0/middlewares/basicauth/

[braginini]

I might think of something with basic auth. But it won't be a straightforward implementation.

The thing is, that the Management API uses JWT tokens to authenticate requests coming from the management dashboard. There is quite some logic implemented around that.

[mlsmaycon]

Hey @pomazanbohdan @lukasmrtvy @gaby @jbenguira, thanks for your feedback.

We are looking at the alternatives you provided here, and one requirement we have to move forward is that the solution supports the Dashboard which is a Single Page Application, without the need to work on having a session cache somewhere in our Management layer.

This is important as it would allow us to build a project that is scalable and stateless, needing the least amount of services to be deployed.

With that in mind, we are looking at Ory Hydra and Ory Kratos as possible options for archiving the requirements above. Any thoughts on that?

[FlurryNight]

Hi, @mlsmaycon

Okay, thank you guys , awesome project

Liked Ory Kratos, didn't know about it

Seems a good approach

Best regards

[jbenguira]

With that in mind, we are looking at Ory Hydra and Ory Kratos as possible options for archiving the requirements above. Any thoughts on that?

@mlsmaycon, Ory Hydra seems like embeding millions of lines of code in your software, what's wrong with 10 lines of code to handle just a simple basic auth without ANY dependencies?

I do understand that it's nice to be able handle complex use cases ... but please also take into account very simple use cases. probably for MAJORITY of users a simple basic auth system is more than enough to access the management dashboard ... no need to bring millions of lines of code and dependencies (that will inevitability break at some point)

Really I have ZERO interest in sharing the management dashboard access with more than 1 people (the admin)

My 2 cents :p

[FlurryNight]

@jbenguira @mlsmaycon

BASIC AUTH support would be nice if we wanted to make custom dashboards or api's

[mlsmaycon]

Thank you @jbenguira and @ZR3SYSTEMS for your feedback.

Regarding adding basic auth support, in our vision for the project we are not considering that an option for us, as it would bring other concerns that we currently don't have by delegating this function to third-party software.

The implementation take we want for this Ory support or any other IDP provider is not to import the whole services into Wiretrustee, but only to support their authentication flow with Wiretrustee management. As output, we would update our getting started docker-compose file and possibly work with them to simplify the bootstrap of Ory Hydra and Ory Kratos.

[FlurryNight]

Thank you @jbenguira and @ZR3SYSTEMS for your feedback.

Regarding adding basic auth support, in our vision for the project we are not considering that an option for us, as it would bring other concerns that we currently don't have by delegating this function to third-party software.

The implementation take we want for this Ory support or any other IDP provider is not to import the whole services into Wiretrustee, but only to support their authentication flow with Wiretrustee management. As output, we would update our getting started docker-compose file and possibly work with them to simplify the bootstrap of Ory Hydra and Ory Kratos.

Hi, thanks for your response,

Agree ,i didn't agree on basic auth too, just said it would be nice to be able to choose that as an authentication method.

As i said in https://github.com/wiretrustee/wiretrustee/issues/126#issuecomment-1014890989_

I'm with you guys on the ory approach

Keep me posted

Best regards

[cg31]

I wonder if it is possible to not use authorization at all for personal usage case.

In such case, any machine on wireguard is authorized by wg. Then it works just like Nebula.

[FlurryNight]

I wonder if it is possible to not use authorization at all for personal usage case.

In such case, any machine on wireguard is authorized by wg. Then it works just like Nebula.

Uhh, i dont recommend that!

[damajor]

Did you also check Super Tokens (cloud & self-hosted) ?

[LostSoulfly]

It does seem odd to require a 3rd party service just to log into the system. Naturally it's their project and they can do what they want with it, but it's strangely concerning they aren't even considering the option to allow people the choice of no auth, basic auth, or auth0 or some other system.

I have only one user, me, so only one account would be needed. I do not want to rely on a 3rd party service (and it's irrelevant how reliable/big they are). I would also be completely fine setting up basic auth on my reverse proxy if no authentication was an option.

[mlsmaycon]

done as https://github.com/netbirdio/dashboard/pull/60, documentation can be found at https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak

[gaby]

@mlsmaycon Thanks for the update, I didnt realize the name of the project was change. I have to say, setting up and running Keyclock add another layer of complexity. Have there been any other simple approaches considered?

In my case we already have on-prem LDAP (Mostly for user mgmt/server access), so having to add Keyclock complicates things. Auth0 was a no-go since it requires internet connection.

I tried running the self-hosting tutorial, but it fails even when setting the domain as "localhost".

[braginini]

Hey @gaby What LDAP solution do you use?

[gaby]

@braginini I'm using FreeIPA.

https://www.freeipa.org