netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.3k stars 518 forks source link

Support for running NetBird without Auth0 #126

Closed gaby closed 2 years ago

gaby commented 3 years ago

Are there any plans to add basic support for running WireTrustee without Auth0? We are trying to find a solution for running a managed WireGuard Mesh in an airgap network, and having a requirement for Auth0 wouldn't work.

I think it would be very beneficial if WireTrustee had support for basic auth, even if it's just an Admin Account.

braginini commented 3 years ago

hi @gaby and thank you for the message. Could you please write us at hello@wiretrustee.com?

braginini commented 3 years ago

hi @gaby and thank you for the message. Could you please write us at hello@wiretrustee.com?

lukasmrtvy commented 3 years ago

@braginini what about supporting generic oidc provider via https://github.com/dexidp/dex ? ( you can still use auth0 as idp provider via dex )

braginini commented 3 years ago

@gaby @lukasmrtvy We are discussing a couple of options in this ticket: https://github.com/wiretrustee/wiretrustee-dashboard/issues/9

gaby commented 3 years ago

@gaby @lukasmrtvy We are discussing a couple of options in this ticket: wiretrustee/wiretrustee-dashboard#9

That still won't solve such a basic problem. All we need is an Admin Account. Almost every application out there comes with an admin account, we shouldn't need to run/install another service just to be able to login.

jbenguira commented 3 years ago

@gaby @lukasmrtvy We are discussing a couple of options in this ticket: wiretrustee/wiretrustee-dashboard#9

That still won't solve such a basic problem. All we need is an Admin Account. Almost every application out there comes with an admin account, we shouldn't need to run/install another service just to be able to login.

I Agree, even basic auth would be enough ... but Auth0 ... forcing peoples to create an account with them is the opposit of self hosted spirit

Please don't take my comment too negatively, I love what you did here, it's just spoiled by the Auth0 dependency

pomazanbohdan commented 3 years ago

I would like to turn off the authorization page in the management console altogether

I can add basic authorization to reverse proxy https://doc.traefik.io/traefik/v2.0/middlewares/basicauth/

braginini commented 3 years ago

I might think of something with basic auth. But it won't be a straightforward implementation.

The thing is, that the Management API uses JWT tokens to authenticate requests coming from the management dashboard. There is quite some logic implemented around that.

mlsmaycon commented 2 years ago

Hey @pomazanbohdan @lukasmrtvy @gaby @jbenguira, thanks for your feedback.

We are looking at the alternatives you provided here, and one requirement we have to move forward is that the solution supports the Dashboard which is a Single Page Application, without the need to work on having a session cache somewhere in our Management layer.

This is important as it would allow us to build a project that is scalable and stateless, needing the least amount of services to be deployed.

With that in mind, we are looking at Ory Hydra and Ory Kratos as possible options for archiving the requirements above. Any thoughts on that?

FlurryNight commented 2 years ago

Hi, @mlsmaycon

Okay, thank you guys , awesome project

Liked Ory Kratos, didn't know about it

Seems a good approach

Best regards

jbenguira commented 2 years ago

With that in mind, we are looking at Ory Hydra and Ory Kratos as possible options for archiving the requirements above. Any thoughts on that?

@mlsmaycon, Ory Hydra seems like embeding millions of lines of code in your software, what's wrong with 10 lines of code to handle just a simple basic auth without ANY dependencies?

I do understand that it's nice to be able handle complex use cases ... but please also take into account very simple use cases. probably for MAJORITY of users a simple basic auth system is more than enough to access the management dashboard ... no need to bring millions of lines of code and dependencies (that will inevitability break at some point)

Really I have ZERO interest in sharing the management dashboard access with more than 1 people (the admin)

My 2 cents :p

FlurryNight commented 2 years ago

@jbenguira @mlsmaycon

BASIC AUTH support would be nice if we wanted to make custom dashboards or api's

mlsmaycon commented 2 years ago

Thank you @jbenguira and @ZR3SYSTEMS for your feedback.

Regarding adding basic auth support, in our vision for the project we are not considering that an option for us, as it would bring other concerns that we currently don't have by delegating this function to third-party software.

The implementation take we want for this Ory support or any other IDP provider is not to import the whole services into Wiretrustee, but only to support their authentication flow with Wiretrustee management. As output, we would update our getting started docker-compose file and possibly work with them to simplify the bootstrap of Ory Hydra and Ory Kratos.

FlurryNight commented 2 years ago

Thank you @jbenguira and @ZR3SYSTEMS for your feedback.

Regarding adding basic auth support, in our vision for the project we are not considering that an option for us, as it would bring other concerns that we currently don't have by delegating this function to third-party software.

The implementation take we want for this Ory support or any other IDP provider is not to import the whole services into Wiretrustee, but only to support their authentication flow with Wiretrustee management. As output, we would update our getting started docker-compose file and possibly work with them to simplify the bootstrap of Ory Hydra and Ory Kratos.

Hi, thanks for your response,

Agree ,i didn't agree on basic auth too, just said it would be nice to be able to choose that as an authentication method.

As i said in https://github.com/wiretrustee/wiretrustee/issues/126#issuecomment-1014890989_

I'm with you guys on the ory approach

Keep me posted

Best regards

cg31 commented 2 years ago

I wonder if it is possible to not use authorization at all for personal usage case.

In such case, any machine on wireguard is authorized by wg. Then it works just like Nebula.

FlurryNight commented 2 years ago

I wonder if it is possible to not use authorization at all for personal usage case.

In such case, any machine on wireguard is authorized by wg. Then it works just like Nebula.

Uhh, i dont recommend that!

damajor commented 2 years ago

Did you also check Super Tokens (cloud & self-hosted) ?

LostSoulfly commented 2 years ago

It does seem odd to require a 3rd party service just to log into the system. Naturally it's their project and they can do what they want with it, but it's strangely concerning they aren't even considering the option to allow people the choice of no auth, basic auth, or auth0 or some other system.

I have only one user, me, so only one account would be needed. I do not want to rely on a 3rd party service (and it's irrelevant how reliable/big they are). I would also be completely fine setting up basic auth on my reverse proxy if no authentication was an option.

mlsmaycon commented 2 years ago

done as https://github.com/netbirdio/dashboard/pull/60, documentation can be found at https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak

gaby commented 2 years ago

@mlsmaycon Thanks for the update, I didnt realize the name of the project was change. I have to say, setting up and running Keyclock add another layer of complexity. Have there been any other simple approaches considered?

In my case we already have on-prem LDAP (Mostly for user mgmt/server access), so having to add Keyclock complicates things. Auth0 was a no-go since it requires internet connection.

I tried running the self-hosting tutorial, but it fails even when setting the domain as "localhost".

braginini commented 2 years ago

Hey @gaby What LDAP solution do you use?

gaby commented 2 years ago

@braginini I'm using FreeIPA.

https://www.freeipa.org