Local Authentication

[iojanis]

I don't like the fact that you need a Google or Slack account. I'm sure you'll scare off a lot of people with that. Have a lot of interest in this app, but would never think of hosting something myself, but still have the users go through another service.

[Limezy]

Do you really have a problem with the fact that the main owner of this open source project, working full time on it, is trying to make money ? It seems quite obvious that a few things are meant to encourage the use of the SaaS version rather than self-hosting the software... Outline was primarily designed for companies. Do you know a lot of companies using local authentification ?... I'm not even talking about the time spent by @tommoor to help self-hosted users (just have a look at the github discussions and you'll see)

There are a few tutorials or scripts available on the web and that allow a quick and complete deployement of Outline, using softwares such as Dex or Keycloak to manage users, so I would suggest you to have a look. Finally, the auth mechanism is made using passport.js library, so please feel free to contribute and add new authentification methods, if you find the existing ones "silly" !

[almereyda]

There are also https://goauthentik.io/ and https://www.pomerium.com/ which can be leveraged to authenticate access to Outline.

---

Let's bear in mind, that this source code is provided as is, without any warranties or conditions attached.

https://github.com/outline/outline/blob/da87fd422d3e6cfa8da1caed543538449890ea80/LICENSE#L75

Another way to describe the situation around this feature request from my personal point of view, is to consider the following: If it is not convenient or possible for one to set up an authentication service, one may not be part of a fitting target group for this open sourced software release.

While we find the issue remains open, and has not been closed by the maintainers. Which gives us a clue about the conditions of possibility for such a feature ... it may just take time, when other features and functionalities are prioritised onwards the path to v1.0.

[badihi]

@Limezy OK, I admit that I was angry at the time and said something that was not so fair. I surely have no right to talk like that about people and they can do whatever they want with their products. But... lets face it. When I see things like this in opensource projects, I feel tricked, and unfortunately these cases are so common nowadays. Projects grow using the friendly nature of opensource and when you are sucked in, they try to monitize you for fundamental functionalities, while it is against their nice slogans. I can name a dozen of those projects. Not all of them are like that, of course. We're using Gitlab Ultimate in our workspace and I've never thought that I was tricked to buy it, because it sells real enterprise features in its Ultimate plan, not its core and obvious features.

[Limezy]

About local auth being a "fundamental functionality"

I'm sorry but I still don't get your point. Outline is a tool meant to be used by teams (= companies or organisations). Just read the Github headline :

The fastest wiki and knowledge base for growing teams

Tom himself, if you search a little bit, has a known track of record building tools for companies.

So, is a local auth engine a "fundamental functionality" for a company-targetting product ? I don't think so. The best proof for that is that local authentification is not even provided to paid Saas users ! No company would ever need that functionality. Even a small non-profit organisation would probably want to map their wiki userbase with something else such as a small LDAP server.

Microsoft, Google, OIDC and Slack auth are provided for free. Documentation is given for anybody how would like to build his own passport.js auth provider (I did it, it took me a few hours eventhough I'm not a dev and didn't know anything about typescript...)

What I would call a "fundamental functionality" abuse from Outline would be for instance to block the ability to share a page to internet, or a limitation to only one collection, etc...

About open source projects aggressively "stealing" their community from "fundamental functionalities"

You are true, this can happen and it's always sad even though some times understandable. The best way is probably to contribute, as the more a community is giving value to the project's commercial counterpart, the more "power" it has, even though it's not always that's simple, I have to admit. It's always a tricky balance.

Let's be fair, for the moment Tom has built Outline mainly by himself... https://github.com/outline/outline/graphs/contributors If you remove jorilallo and the translating contributors, the Nb.4 contributor has produced ~10k lines of code, to be compared with Tom's ~360k lines. At rank Nb.7 you are already reaching what we could describe as "marginal contributors" (no offense obviously, I'm one of these, with only a few very tiny lines that were mostly co-authored by Tom, which probably spent more time teaching me typescript than he would have needed to produce what I have done...)

If there was a really strong community pushing a nice Local Authentification PR (which is again a functionality NOT needed by companies), or solving bugs, I would bet Tom would both accept these and be able to focus more on developping real core features such as comments that everybody has been waiting for long.

In a nutshell, I truly believe you are being a bit unfair with this project, which IMHO is a pretty nice gift to the open source community, given how less it is currently contributing to it.

[almereyda]

Can we limit the conversation in this issue to technical aspects of implementing local authentication, and escalate the discussion about authentication policy into a separate discussion? I'd feel we'd all gain serenity from that, and can improve on the open questions in both directions collectively.

[clibequilibrium]

I created a simple oidc server oidc-server to support authentication, and used in my self-host project outline-docker-compose.

This worked like a charm . Thanks!

[jongomes]

There is no provision for local authentication? magic link is not cool.

[routerino]

I believe it's less about whether people want it and more about whether the effort to implement it outweighs the appetite of the developer(s) to have it. I would suggest the appetite is extremely low given that it adds no value to the paid service, would require significant rewrites of the authentication stack, and self hosted options can be implemented fine now that OIDC is an option.

[skrollme]

Because I felt "challenged" that I cannot get to run this open source software because of a planned or intentional restriction, I looked around in the code. In the end I changed two lines of code in a single-file, build a new base docker-image and a new app-image, booted it and was able to register with my personal, non-business googlemail-account. Everything seems to work so far.

The two lines I changed are containing a hardcoded fictional team-id and a hardcoded domain, now. So it is not a good approach, but I think this could be outsourced into the config to make it reusable. I will evaluate this and try to make a MR out of it

[Limezy]

Glad to see that you have made it work for your usecase. However, I don't think that the lack of local authentification is "a planned or intentional restriction". This statement seems very unfair. As Tom has written it already somewhere, he prefers spending his time building new features rather than coding something that is out of the standard scope of usecase for Outline. Outline is made for modern companies or organizations. Modern companies or organizations have a SSO. And if your SSO tech stack is not compatible with Outline's current shipped ones, there is even an explanation to be found here about how to build your own with the passport.js library.

[skrollme]

However, I don't think that the lack of local authentification is "a planned or intentional restriction". This statement seems very unfair.

I agree, and my statement was not meant that harsh as it may reads, @Limezy. I just wanted to say that the fact that a personal or single-user scenario isn't possible now is not an accident, but a conscious decision. So no criticism from my side here, just wanted to elaborate that the possibility of personal usage is not that far away. I also have thought about setting up a SSO for personal usage, but I just tried the other way at first.

And I know that I - as a single user - am not the target-audience for this collaborative tool, nevertheless I like to use it in such a scenario and I'm evaluating now, if this works for me. Because I'm still using Apple's native Notes app at the moment :D

[slurdge]

@skrollme would you mind sharing the two lines you changed ?

[skrollme]

The affected lines are: https://github.com/outline/outline/blob/504693c68d15cd574b08797373c9571671df2db6/server/routes/auth/providers/google.ts#L69-L70

I changed these lines to something like that (old code as comment):

const domain = sub.domain.tld'; //profile._json.hd;
const team = 'domain.tld'; //await getTeamFromContext(ctx);

If you want to run it via docker, you have to build the base- and the app-image (outlinewiki/outline) with the altered code ...

docker build -f Dockerfile.base -t outlinewiki/outline-base .
docker build -f Dockerfile -t outlinewiki/outline .

... and boot the setup with your custom image

[nickk024]

I was told that this was fixed in the prerelease version (also the docker image) but the fact that you are still having issues has made me feel less crazy and happily validated!

[onny]

In case this could help someone running Outline locally, I made a wiki page for NixOS with a snippet with a complete local and native setup https://nixos.wiki/wiki/Outline

[IgnisDa]

Hey @onny can you tell me how to run this setup? I am not that familiar with nixos. I do have nix installed on my system.

[onny]

Unfortunately as far as I can tell you‘ll need NixOS to use this. The setup is just that you put the snippet from the Wiki into your system configuration file, run nixos-rebuild to apply and done :)

[aresstokrat]

i thought that i cannot login with my email is just a nasty bug...i couldn't believe its absent

[IgnisDa]

I have been able to self host outline on dokku with lldap authentication working. It was a pretty complicated setup (atleast for me). I can write up a blog post with instructions. I am pretty sure it can be adapted to non-dokku setups. Is anyone interested in this? Otherwise I do not want to waste time writing a blog post that no one wants to read.

[monoxane]

I gave up trying to self host this and now just use the Logseq desktop app for my documentation and notes. Obviously that doesn't work for a team and it really depends on what you originally wanted outline for, but for me it's pretty solid.

[Limezy]

i thought that i cannot login with my email is just a nasty bug...i couldn't believe its absent

@arrestokrat see above discussion for the rationale behind the non existence of local auth. You can always develop your own passport.js extension. You can also install outline on top of a Yunohost instance (disclaimer, I'm the maintainer of that package), which will provide you with a full working outline stack with local auth based on Yunohost LDAP + Dex and a working minIO in one click. https://GitHub.com/Yunohost-Apps/outline_ynh

[vastamaki]

So.. is the local authentication coming at some point or.. ? I'd love to use Outline but in case I need to rely on a third party, it's a no-go for me.. 😞

[Dexy2811]

Outline looks like a really nice doc application but as someone who want to selfhost and have a simple login with username and password beheind a vpn then this isnt the solution for me sadly.

if it was implemented with local auth aswell then this would be my go to and recommendation. as this also seems good for privacy when you have local auth. But this is all my optinion and if you feel this comment doesnt fit here then please do go ahead and delete it.

[victorhooi]

I don't mind using Google authentication - it's not fully locally hosted, but gives me enough to kick the tyres with. However, the restriction to only using Google Workspace accounts, and not standard Gmail accounts is a strange one. I assumed there's some technical limitations etc for it.

@skrollme Do you happen to know if this limitation is still in place? The path (link) you referenced to doesn't exist in the current code-base. I did a quick git blame, and I believe it was this PR that moved the paths, the new path in the current revision is here.

Is your earlier workaround (setting both domain and team to hardcoded strings) still the best way of testing things?

[disgustipated]

i gave up trying to figure out how to use the magic link only login on first setup with the docker container... cannot find any examples or documentation on what env var to set to make it magic link only. after spending the afternoon trying to get it configured i just went over and had a fresh bookstack running in 30 minutes

[mon-jai]

In case this could help someone running Outline locally, I made a wiki page for NixOS with a snippet with a complete local and native setup nixos.wiki/wiki/Outline

@onny How does it work? It doesn't seem to contain the url of Outline's source code.

[jrussellfreelance]

There's also this project which replaces the auth with a localized, batteries-included OIDC server.

Currently I'm serving a selfhosted outline with a fully localized login, in that sense.

https://github.com/vicalloy/outline-docker-compose

[johncmunson]

Pretty frustrating that @tommoor seems to be so lukewarm towards catering to the self-hosted portion of this community. I get it, he wants to provide incentives to use the cloud offering so he can make money. 100% agree that there's nothing wrong with that. But there's so many other ways he could be incentivizing people. As it stands, by refusing to implement or accept contributions from the community on the following two items, he is simply making it painful for a lot of us. Or, he's just scaring us off.

• Allow normal Google accounts, not just Google Workspace accounts
• Allow email/password login

[magixus]

All, I just figured out what's missing. this whole thing maybe because the docs are separated. Or a misleading process in order to get people pay for support, I don't know ... but here is what''ve done so far.

In my case, I'm running outline with docker-compose and I've added all required ENV to docker.env as follow

1. Prepare docker.env file

NODE_ENV=production

#gen with openssl rand -hex 32 (twice, one for each of the two bellow
SECRET_KEY=626e015c147df8fe065d194cbc9.....
UTILS_SECRET=17663fb4e9690cbff08bba3c9....
DATABASE_URL=postgres://admin:xxxx@outline_postgres:5432/outline
DATABASE_URL_TEST=postgres://admin:xxxxx@outline_postgres:5432/outline-test
PGSSLMODE=disable
DATABASE_CONNECTION_POOL_MIN=
DATABASE_CONNECTION_POOL_MAX=
REDIS_URL=redis://outline_redis:6379
URL=https://docs.mydomain.com (real one, am just hiding mine)
PORT=3000
COLLABORATION_URL=
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_REGION=
AWS_S3_ACCELERATE_URL=
AWS_S3_UPLOAD_BUCKET_URL=http://outline_minio:29000
AWS_S3_UPLOAD_BUCKET_NAME=outline
AWS_S3_FORCE_PATH_STYLE=true
AWS_S3_ACL=private
FILE_STORAGE=local
FILE_STORAGE_LOCAL_ROOT_DIR=/var/lib/outline/data
FILE_STORAGE_UPLOAD_MAX_SIZE=26214400
# there is no need to add this bellow, you can remove them.
#GOOGLE_CLIENT_ID=
#GOOGLE_CLIENT_SECRET=
FORCE_HTTPS=false
ENABLE_UPDATES=true
WEB_CONCURRENCY=1
MAXIMUM_IMPORT_SIZE=5120000
DEBUG=emails
LOG_LEVEL=debug
SMTP_NAME=mydomain.com
SMTP_HOST=mail.mydomain.com
SMTP_PORT=587
SMTP_USERNAME=docs@mydomain.com
SMTP_PASSWORD=xxxxxxxxx
SMTP_FROM_EMAIL=docs@mydomain.com
SMTP_REPLY_EMAIL=docs@mydomain.com
# for cipher you can do  openssl s_client -starttls smtp -connect mail.mydomain.com:587 and you'll be able to see it.
SMTP_TLS_CIPHERS=TLS_AES_256_GCM_SHA384
SMTP_SECURE=false
DEFAULT_LANGUAGE=en_US
RATE_LIMITER_ENABLED=true
RATE_LIMITER_REQUESTS=1000
RATE_LIMITER_DURATION_WINDOW=60

2. Get your docker-compose.yml ready

version: "3.2"
services:

  outline:
    container_name: outline_frontend
    image: outlinewiki/outline
    env_file: ./docker.env
    ports:
      - 127.0.0.1:23000:3000
    volumes:
      - ./storage-data:/var/lib/outline/data
    depends_on:
      - postgres
      - redis
    networks:
      - outline_net

  redis:
    container_name: outline_redis
    image: redis
    env_file: ./docker.env
    ports:
      - 127.0.0.1:26379:6379
    volumes:
      - ./redis.conf:/redis.conf
    command: [ "redis-server", "/redis.conf" ]
    healthcheck:
      test: [ "CMD", "redis-cli", "ping" ]
      interval: 10s
      timeout: 30s
      retries: 3
    networks:
      - outline_net

  postgres:
    container_name: outline_postgres
    image: postgres
    env_file: ./docker.env
    ports:
      - 127.0.0.1:25432:5432
    volumes:
      - ./database-data:/var/lib/postgresql/data
    healthcheck:
      test: [ "CMD", "pg_isready" ]
      interval: 30s
      timeout: 20s
      retries: 3
    environment:
      POSTGRES_USER: 'admin'
      POSTGRES_PASSWORD: 'xxxxxx'
      POSTGRES_DB: 'outline'
    networks:
      - outline_net

  minio:
    image: minio/minio
    container_name: outline_minio
    ports:
      - "127.0.0.1:29000:9000"
    # environment:
    #   MINIO_ACCESS_KEY: your_access_key
    #   MINIO_SECRET_KEY: your_secret_key
    volumes:
      - ./data:/data
    command: server /data

networks:
  outline_net:

3. Run and create your ADMIN user

checkout this

docker compose up -d && echo "waiting outline_frontend to bootup" && sleep 5 docker exec -it outline_frontend node build/server/scripts/seed.js anyemail@yourdomain.ltd

4. Authentication

You'll get some thing link: email ✅ Seed done – sign-in link: https://docs.mydomain.com/auth/email.callback?token=eyxxxxx....

Click you'll get in. (don't forget you domains and webserver configs ... am using aapanel btw)

After that you'll be able to see only login with Email.... :-)

Next time you can login using your email and you'll get an email like this:

If you want to add users you can just create (or automate in shell) via above command.

docker exec -it outline_frontend node build/server/scripts/seed.js anyemail@yourdomain.ltd Or go to https://docs.mydomain.com/settings/members and bulk invite with right privileges... Enjoy

[troplin]

I‘m also self-hosting and I‘m happy with the current state of authentication. Using an established authentication solution instead of a home-grown one increases security and frees up developer time to work on actual features.

Running your own OIDC/OAuth2 server is not that difficult and there are many alternatives to choose from: https://docs.google.com/spreadsheets/d/16Ya5KsmEpczTmoTk5J-1e2MOyuUqXIiPuj7rPfPrHAI/htmlview

Personally I‘m using „Synology SSO Server“ just because it‘s already integrated with the user management of my NAS. You only have to set it up once and then you can use it for pretty much anything you host (that supports OIDC) which is super convenient. You also get advanced features like 2FA basically for free.

[disgustipated]

I‘m also self-hosting and I‘m happy with the current state of authentication. Using an established authentication solution instead of a home-grown one increases security and frees up developer time to work on actual features.

Running your own OIDC/OAuth2 server is not that difficult and there are many alternatives to choose from: https://docs.google.com/spreadsheets/d/16Ya5KsmEpczTmoTk5J-1e2MOyuUqXIiPuj7rPfPrHAI/htmlview

Personally I‘m using „Synology SSO Server“ just because it‘s already integrated with the user management of my NAS. You only have to set it up once and then you can use it for pretty much anything you host (that supports OIDC) which is super convenient. You also get advanced features like 2FA basically for free.

well thats nice. i started looking to set up outline but then gave up and went to bookstack when i found you had to set up a completely separate login method, and having to check my email every time i want to log into something local is hilarious. didnt even bother giving outline a try.

[troplin]

i started looking to set up outline but then gave up and went to bookstack when i found you had to set up a completely separate login method, and having to check my email every time i want to log into something local is hilarious. didnt even bother giving outline a try.

I see it more as a documentation issue. I was struggling with the setup too and nearly gave up, but for different reasons: For me it was the setup of minio, which I later found out isn't even necessary anymore because there is now the option of local file storage. The application already has other similar external dependencies like postgres and redis, which doesn't seem to be a problem. I'm sure there is a way to also include a simple authentication server in the docker compose example.

Unfortunately, the current documentation is written in a way that assumes that you are already familiar with all those systems which makes it difficult to follow if you're not. Also it doesn't seem to be completely up to date with the latest development (c.f local file storage). But I also understand that I'm not the target audience and documentation for self-hosting is probably not the highest priority.

[isc30]

This is a pain, I wanted to give Outline a try but the amount of complication to simply get something working for a single user is too much. Sad.

[nsauter]

This is a pain, I wanted to give Outline a try but the amount of complication to simply get something working for a single user is too much. Sad.

Jup, i went through this too and i dont unserstand why there is such a highlevel configuration which needt to get setup fully until you have a running instance. After all this was done i thin outline is one of the best Open Source Tools out there. Its a shame that its so complicated to setup.

[hwcltjn]

I cannot speak on behalf of the devs, and I get that deploying Outline isn't as easy as spinning up one docker container but based on it's architecture, Outline was first and foremost built to scale-up so that it could be a viable, succesful, commercial product that can sustain itself and it's creators.

Just because it's open source doesn't mean it needs to be easy to use, or not have some (pretty low) "barriers" to entry in order to remain commercially viable.

This product is still incredible and free - as in $0! I'm sure you all know how difficult it is to keep some open source projects alive and well maintained.

So what if not having local auth perhaps encourages some to use the hosted version? I'm sure it could easily be implemented, but this issue has been open for 2 years and so many don't get it and still come here to complain.

See it instead as an opportunity to learn more about implemeting your own self-hosted authentication (Keycloak, Authelia, Authentik), integrating with the many hosted options that are available (also for free!), or actually reading through some of the comments and realising that someone has done the work for you!

There's a reason this project has ~21k stars.

TL;DR stop complaining and use something like: https://github.com/vicalloy/outline-docker-compose

[isc30]

So what if not having local auth perhaps encourages some to use the hosted version?

Frustration isn't driving sales, it's getting people away from the project.

TL;DR stop complaining and use something like: https://github.com/vicalloy/outline-docker-compose

Why not document something like this in the main documentation?

[disgustipated]

Frustration isn't driving sales, it's getting people away from the project.

I agree with this. I was going to use outline for my work as well but went to bookstack because of no local login. I dont need the server to communicate with external pieces.

[hwcltjn]

Frustration isn't driving sales, it's getting people away from the project.

21k stars says otherwise. There are plenty of other widely used self-hosted projects that don't have half this following.

TL;DR stop complaining and use something like: https://github.com/vicalloy/outline-docker-compose

Why not document something like this in the main documentation?

Why should it be? It's a third party, independent project! You all have access to search engines, and the author took the time to share it with the community here.

I agree with this. I was going to use outline for my work as well but went to bookstack because of no local login. I dont need the server to communicate with external pieces.

If that's more suitable for you, great! That's the whole point of having a choice.

[nsauter]

Frustration isn't driving sales, it's getting people away from the project.

21k stars says otherwise. There are plenty of other widely used self-hosted projects that don't have half this following.

Can u tell how many of the 21K Stars use this Project or maybe just starred it to follow up on the development? I wouldnt use this benchmark to proof your point.

TL;DR stop complaining and use something like: https://github.com/vicalloy/outline-docker-compose

Why not document something like this in the main documentation?

Why should it be? It's a third party, independent project! You all have access to search engines, and the author took the time to share it with the community here.

I agree with this. I was going to use outline for my work as well but went to bookstack because of no local login. I dont need the server to communicate with external pieces.

If that's more suitable for you, great! That's the whole point of having a choice.

Why are you even complaining about the complaints if you have nothing to do with the project or nothing really to say?

[mxmilkiib]

Why should it be? It's a third party, independent project!

Altruism? The spirit of Free software? The example of other free/open source software projects? Free advertising and spreading product familiarity through co-operation? (e.g. the like of "Oh, I or my friend uses this personally and really likes it, I'll recommend to my friend/boss to use it")

I mean, the real question is; if someone creates a PR to add such to the docs, would it be accepted? Would an easy individual login PR be accepted?

[almereyda]

Outline is not free software in the literal sense.

• 3301

The BSL in use dictates that the source code becomes free two years after release.

Maybe in this case, assuming you are accepting the license conditions and want to use it within the accepted restrictions, it is fair not to use the same evaluation criteria as, for example, when compared to GNU software?

@vicalloy is certainly a talented programmer, and deserves all the credit due. Yet as a third-party project, why should it be documented in the original documentation? It is sufficient for many already, but how can it be made more accessible to the rest? From that point of view Outline is not a classical self-hosting project as in "Fire up the LAMP!", but a more sophisticated mid-range, say collaboration-friendly, SME-oriented writing platform.

I think the answer to your questions lies in trying it out: (1) to refresh the documentation and to offer some paragraphs about how people have answered the authentication requirement, plus (2) to answer the question, why the total LoC should be amended with a section to support an additional secure and reliable (password reset, enabling/disabling) authentication mechanism, if a widely tested and supported option already exists?

Maybe it's like with the law: just because you are not aware about the option to deploy your own minimal identity provider (IdP), does not mean it does not exist/apply. It's a sufficient condition to running Outline, and there are plenty examples on how to achieve this. We have all the faith in the world that you are able to replicate them. Else:

• Why should the maintainers of Outline add parts to the code base which they will have to maintain, if a viable option to meet the requirement of authentication is already present?

And please note that other software such as gristlabs/grist-core, here FLOSS, also comes without local authentication, and relies completely on an IdP. This is the cloud-native, microservice era of application design, which somewhat reflects the UNIX philosophy of small tools that do one thing well in running web services.

From my perspective, I'm already happy that Outline doesn't depend on commercial services, like Firebase in pubpub https://github.com/pubpub/pubpub/discussions/1470, and that I can use it without limitation in our not-for-profit communities. In return I'm providing technical feedback and participation in the support community. For me it's a fair deal. It may not be for others.

[nsauter]

I dont like how this thread is all about thinking in black and white. I think everybody would be perfectly fine if the dev would say "Im not doing this". Yes, its may be the new "cloud native" way and yes, it may be easier to maintain and its perfectly fine if the dev decides not to implement basic LDAP or local auth. But also - since this is open source - its perfectly fine to ask for such things and i guess you guys need to get over it and accept that some people want this and ask for it.

[Limezy]

The problem is that these people complaining are just coming in to cry on that thread. We don't see them coming on the discussions and helping others. We don't see them sponsoring the repo. We don't see them opening new issues and track bugs. We don't see them contributing to the various translation works... And I could continue the list.

Do they need a quick setup just to try outline ? Then they could use the free trial on the cloud version. Do they need a setup to self host ? Most of the self hosting community already has a kind of centralized SSO for their various "apps" and don't use or like having a local auth anyway. Do they lack the knowledge to do so ? There is a complete Debian tutorial written by a member here, there are a few docker based scripts that you could find around and a one click installation script on Yunohost maintained by myself. Yes, their request is legit but honestly I don't see the point.

Finally, if this was a real need there would already be a PR made by a nice guy who needs it and has the knowledge of doing it. Should that PR exist and be properly done I'm sure it would be merged. It's not as if the dev was refusing or closing an existing proposed code for local auth. And even if that was the case you could always use a fork of some kind (provided you respect the licence).

[almereyda]

Yes, if the desire expressed in this issue would not be respected by the project maintainers, it would already be rejected and closed.

[jrussellfreelance]

""Most of the self hosting community already has a kind of centralized SSO for their various "apps" and don't use or like having a local auth anyway. Do they lack the knowledge to do so""

@Limezy This is honestly a very lazy answer, and I suspect you know it. It's not accurate and not fair to the self-hosting community.

[Limezy]

I won't launch another useless anonymous debate but please think twice before qualifying as "lazy" and "unfair to the self hosting community" someone who has worked countless hours to create and maintain a one-click installation for Outline (through the Yunohost project) including a fully working local authentification (local = not dependent on external social networks since it goes through the Yunohost native user management)

[jrussellfreelance]

@Limezy I am in no way insulting any of that work. Thank you for your contributions. I am most thankful for a side project that integrates OIDC for a semi local auth feel: https://github.com/vicalloy/outline-docker-compose

I am only saying it in that tone due to the extreme generalizing statements you made about the community. Please poll or do your own research and supply that as a supporting argument if you plan to take such a strong tone and stance.

[magixus]

Have you seen my comment?? No need to install anything. It's working out of the box

Get Outlook for Androidhttps://aka.ms/AAb9ysg

---

From: Jesse Russell @.> Sent: Wednesday, December 27, 2023 12:19:20 AM To: outline/outline @.> Cc: Oussama Boumaad @.>; Comment @.> Subject: Re: [outline/outline] Local Authentication (#1881)

I am in no way insulting any of that work. Thank you for your contributions. I am most thankful for a side project that integrates OIDC for a semi local auth feel: https://github.com/vicalloy/outline-docker-compose

I am only saying it in that tone due to the extreme generalizing statements you made about the community. Please poll or do your own research and supply that as a supporting argument if you plan to take such a strong tone and stance.

— Reply to this email directly, view it on GitHubhttps://github.com/outline/outline/issues/1881#issuecomment-1869816909, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AB2JXSXESKRQN43JGYWXTADYLNLPRAVCNFSM4XQW4LZ2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBWHE4DCNRZGA4Q. You are receiving this because you commented.Message ID: @.***>

[Gr3q]

My personal opinion as someone who was put off using outline partially because of this issue is that:

• I can respect the Dev's wishes for not implementing a fully local Auth, it is a pain, both DB and in UI it adds another level of complexity
• Still, you should assume absolutely 0 things about people's existing deployments, there can be so many reasons for someone not running SSO yet (including setting up migration paths to existing users/services or other services not supporting it at all)
• I was mainly put off by the implicit hostility (not personal! Simply lack of docs and the way outline is usually deployed) towards non-corporate self-hosted setups that stem from the fact that outline is geared towards corporate environments. Still this improved a lot where it makes sense (local storage support etc).
• I consider local SSO a form of Local authentication

In my opinion you could resolve this issue for a portion of users if you have example docker-compose files (or some kind of more extensive documentation) with local SSO deployment examples for users who just want to try/deploy this without:

• Relying on Google/Microsoft etc
• Having to read through this thread for examples of deployment configs
• Having to read through this thread to find a good local SSO solution
• Having to read through this thread at all

Those are the things that I'm against the most.

Take this with a grain of salt, my experience setting up outline is 2 months out of date at this point.

[kxhubs]

I‘m also self-hosting and I‘m happy with the current state of authentication. Using an established authentication solution instead of a home-grown one increases security and frees up developer time to work on actual features.

Running your own OIDC/OAuth2 server is not that difficult and there are many alternatives to choose from: https://docs.google.com/spreadsheets/d/16Ya5KsmEpczTmoTk5J-1e2MOyuUqXIiPuj7rPfPrHAI/htmlview

Personally I‘m using „Synology SSO Server“ just because it‘s already integrated with the user management of my NAS. You only have to set it up once and then you can use it for pretty much anything you host (that supports OIDC) which is super convenient. You also get advanced features like 2FA basically for free.

How can I use Synology SSO Server to achieve single sign on?