braginini
commented
3 years ago hi @gaby and thank you for the message. Could you please write us at hello@wiretrustee.com?
Closed gaby closed 2 years ago
braginini
commented
3 years ago hi @gaby and thank you for the message. Could you please write us at hello@wiretrustee.com?
braginini
commented
3 years ago hi @gaby and thank you for the message. Could you please write us at hello@wiretrustee.com?
lukasmrtvy
commented
3 years ago @braginini what about supporting generic oidc provider via https://github.com/dexidp/dex ? ( you can still use auth0 as idp provider via dex )
braginini
commented
3 years ago @gaby @lukasmrtvy We are discussing a couple of options in this ticket: https://github.com/wiretrustee/wiretrustee-dashboard/issues/9
gaby
commented
3 years ago @gaby @lukasmrtvy We are discussing a couple of options in this ticket: wiretrustee/wiretrustee-dashboard#9
That still won't solve such a basic problem. All we need is an Admin Account. Almost every application out there comes with an admin account, we shouldn't need to run/install another service just to be able to login.
jbenguira
commented
2 years ago @gaby @lukasmrtvy We are discussing a couple of options in this ticket: wiretrustee/wiretrustee-dashboard#9
That still won't solve such a basic problem. All we need is an Admin Account. Almost every application out there comes with an admin account, we shouldn't need to run/install another service just to be able to login.
I Agree, even basic auth would be enough ... but Auth0 ... forcing peoples to create an account with them is the opposit of self hosted spirit
Please don't take my comment too negatively, I love what you did here, it's just spoiled by the Auth0 dependency
pomazanbohdan
commented
2 years ago I would like to turn off the authorization page in the management console altogether
I can add basic authorization to reverse proxy https://doc.traefik.io/traefik/v2.0/middlewares/basicauth/
braginini
commented
2 years ago I might think of something with basic auth. But it won't be a straightforward implementation.
The thing is, that the Management API uses JWT tokens to authenticate requests coming from the management dashboard. There is quite some logic implemented around that.
mlsmaycon
commented
2 years ago Hey @pomazanbohdan @lukasmrtvy @gaby @jbenguira, thanks for your feedback.
We are looking at the alternatives you provided here, and one requirement we have to move forward is that the solution supports the Dashboard which is a Single Page Application, without the need to work on having a session cache somewhere in our Management layer.
This is important as it would allow us to build a project that is scalable and stateless, needing the least amount of services to be deployed.
With that in mind, we are looking at Ory Hydra and Ory Kratos as possible options for archiving the requirements above. Any thoughts on that?
FlurryNight
commented
2 years ago Hi, @mlsmaycon
Okay, thank you guys , awesome project
Liked Ory Kratos, didn't know about it
Seems a good approach
Best regards
jbenguira
commented
2 years ago With that in mind, we are looking at Ory Hydra and Ory Kratos as possible options for archiving the requirements above. Any thoughts on that?
@mlsmaycon, Ory Hydra seems like embeding millions of lines of code in your software, what's wrong with 10 lines of code to handle just a simple basic auth without ANY dependencies?
I do understand that it's nice to be able handle complex use cases ... but please also take into account very simple use cases. probably for MAJORITY of users a simple basic auth system is more than enough to access the management dashboard ... no need to bring millions of lines of code and dependencies (that will inevitability break at some point)
Really I have ZERO interest in sharing the management dashboard access with more than 1 people (the admin)
My 2 cents :p
FlurryNight
commented
2 years ago @jbenguira @mlsmaycon
BASIC AUTH support would be nice if we wanted to make custom dashboards or api's
mlsmaycon
commented
2 years ago Thank you @jbenguira and @ZR3SYSTEMS for your feedback.
Regarding adding basic auth support, in our vision for the project we are not considering that an option for us, as it would bring other concerns that we currently don't have by delegating this function to third-party software.
The implementation take we want for this Ory support or any other IDP provider is not to import the whole services into Wiretrustee, but only to support their authentication flow with Wiretrustee management. As output, we would update our getting started docker-compose file and possibly work with them to simplify the bootstrap of Ory Hydra and Ory Kratos.
FlurryNight
commented
2 years ago Thank you @jbenguira and @ZR3SYSTEMS for your feedback.
Regarding adding basic auth support, in our vision for the project we are not considering that an option for us, as it would bring other concerns that we currently don't have by delegating this function to third-party software.
The implementation take we want for this Ory support or any other IDP provider is not to import the whole services into Wiretrustee, but only to support their authentication flow with Wiretrustee management. As output, we would update our getting started docker-compose file and possibly work with them to simplify the bootstrap of Ory Hydra and Ory Kratos.
Hi, thanks for your response,
Agree ,i didn't agree on basic auth too, just said it would be nice to be able to choose that as an authentication method.
As i said in https://github.com/wiretrustee/wiretrustee/issues/126#issuecomment-1014890989_
I'm with you guys on the ory approach
Keep me posted
Best regards
cg31
commented
2 years ago I wonder if it is possible to not use authorization at all for personal usage case.
In such case, any machine on wireguard is authorized by wg. Then it works just like Nebula.
FlurryNight
commented
2 years ago I wonder if it is possible to not use authorization at all for personal usage case.
In such case, any machine on wireguard is authorized by wg. Then it works just like Nebula.
Uhh, i dont recommend that!
damajor
commented
2 years ago Did you also check Super Tokens (cloud & self-hosted) ?
LostSoulfly
commented
2 years ago It does seem odd to require a 3rd party service just to log into the system. Naturally it's their project and they can do what they want with it, but it's strangely concerning they aren't even considering the option to allow people the choice of no auth, basic auth, or auth0 or some other system.
I have only one user, me, so only one account would be needed. I do not want to rely on a 3rd party service (and it's irrelevant how reliable/big they are). I would also be completely fine setting up basic auth on my reverse proxy if no authentication was an option.
mlsmaycon
commented
2 years ago done as https://github.com/netbirdio/dashboard/pull/60, documentation can be found at https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak
gaby
commented
1 year ago @mlsmaycon Thanks for the update, I didnt realize the name of the project was change. I have to say, setting up and running Keyclock add another layer of complexity. Have there been any other simple approaches considered?
In my case we already have on-prem LDAP (Mostly for user mgmt/server access), so having to add Keyclock complicates things. Auth0 was a no-go since it requires internet connection.
I tried running the self-hosting tutorial, but it fails even when setting the domain as "localhost".
braginini
commented
1 year ago Hey @gaby What LDAP solution do you use?
gaby
commented
1 year ago @braginini I'm using FreeIPA.
Are there any plans to add basic support for running WireTrustee without Auth0? We are trying to find a solution for running a managed WireGuard Mesh in an airgap network, and having a requirement for Auth0 wouldn't work.
I think it would be very beneficial if WireTrustee had support for basic auth, even if it's just an Admin Account.