search

openziti / ziti-console

https://openziti.io
Apache License 2.0
23 stars 16 forks source link

explore OIDC authentication #149

Open dovholuknf opened 1 year ago

dovholuknf commented 1 year ago

OIDC authentication might be useful for the the ziti console to have. explore and either implement or close this issue with a reason 'why' OIDC auth doesn't work for ZAC

JeremyTellier commented 1 year ago

ZAC Authenticates with the controller only, does the controller have an OIDC implementation?

j007bond007 commented 4 months ago

Hi, I'm trying to understand how OpenZiti works and one of my requirements for my homelab is to have Authentik (Idp) be used to authenticate users trying to access services on my network. Is this feature request to add that ability in via OIDC/OAUTH (which Authentik supports) or something else? I see mentions about JWK signers and stuff but I don't fully understand what I can do with this.

thiagosestini commented 4 months ago

This topic here is about OIDC for the admin panel. If you want OIDC for user auth you might wanna look at BrowZer.

dovholuknf commented 4 months ago

@thiagosestini's recommendation is probably a good one, in order to use authentik for authentication to the service itself but OpenZiti doesn't control authentication to applications. It's the secure conduit to authenticate and authorize network access TO those applications. With OpenZiti you need to be authenticated to be on the overlay network, and identities need to be authorized to even connect to a target application. Once connected, that target application will often have credentials of its own that need to be provided (in this case, via authentik).

It sounds to me like what you want is to setup Authentik as a server in your homelab and then configure your self-hosted services to use Authentik for authenication. I don't think it's relevant to this particular github issue though. :)

It's actually an interesting idea. Would you mind starting a discussion on our discussion forum over at https://openziti.discourse.group/ ? You'll get more visibility into the conversation there as well. I like this idea, I might do a Ziti TV on this... (a livestream I do related to OpenZiti topics on Friday's)

j007bond007 commented 4 months ago

Hi All, Apologies for mis-interpreting this thread's purpose, I'll create a thread on your discourse.

(For context: I do have Authentik doing auth for most of my internal and external facing apps, where possible - I meant the use of Authentik to login to Ziti as a user via a tunneler app. Either way thanks very much for responding!)