Please provide SocialLogin (OIDC) ability

[markussiebert]

Your Request

First of all: GREAT APP!

It would be great if the app would provide the ability to login with social login - oidc and so on.

The Current State

Can't use my OIDC provider with MFA and Co

Additional Context

No response

[phantomate]

Hi @markussiebert, thank you. Please open this issue on the official tandoor recipes repository. This is just the app and therefor only a different frontend. If you want to have a social login then this needs to be implemented in the tandoor recipes backend

[langerdennis]

Hi @phantomate, it is already implemented and working in the tandoor recipes backend - I am using oidc log-in there, only need my tandoor log-in data for the Untare app. Not a dealbreaker for me though :-)

[phantomate]

@langerdennis I didn't know that. The issue is, that only the token auth is implemented in the api atm.

@vabene1111 is the social login available via api or is this a closed feature of the web version?

[vabene1111]

Since the social logim is so thing where you are redirected I am pretty sure that it will be limited to the web version.

I think we would need to change the login flow to support social sign in

[KoMa1012]

Since the social logim is so thing where you are redirected I am pretty sure that it will be limited to the web version.

I think we would need to change the login flow to support social sign in

When doing this, if suggest to do it directly in a way where it is possible to add an authentication proxy in front of the tandoor login page. So something like an authentik proxy provider or a cloudflare zero trust tunnel with authentication enabled.

Social login is also an important feature for me, I’m transitioning all my services to SSO with authentik and if the app supports it having an authentication before the login site in order to reduce attack surface.

[vabene1111]

I think external authentication schuld already work using this https://docs.tandoor.dev/features/authentication/#external-authentication

[KoMa1012]

Yes, it does, I can use it in the browser, but not in Untare. The app is not using the login page from tandoor, so I don‘t have a chance to select the external authentication. If your want, I can give you access to my setup so you can see what I mean.

[vabene1111]

I do think I understand what you mean. I guess I would need to implement an OAuth endpoint in tandoor that can be used by applications like untare to just use the auth configured in tandoor. I know some people find this really important but I have so many other things that I am thinking that this isn't happening any time soon and I am also likely not going to accept PR's on that as it would be such a critical part that I will not merge it without properly understanding it, so if anyone wants to do it, please talk to me first.

[Polymeta]

Hey there, I just stumbled upon this issue and I think my problem is related:

I use Tandoor with Remote-User auth, which works fine in web, but not in the app as it looks for credentials in Tandoor. I understand your concerns above about changing the integral parts in the backend, but what about a compromise maybe?

Tandoor already allows users to create access tokens in the web, regardless of them using social logins, remote user auth or none of those. Could we not in theory modify the app login to either take user credentials OR an access token straight away to use for API requests? Doing this would isolate this change to be mobile only and the backend can work as it does now with no changes, thoughts?

[vabene1111]

yes, having a special, use auth token button in the app could be added. The app is open source and not maintained by me, so feel free to ask for such a feature there.

[LeVraiRoiDHyrule]

Hi, I am new to Untare. I too use SSO (with Zitadel) to manage my accounts on all my services. As of today, is it possible to connect to an account normally using social account? If not, is it possible to connect using an API key, a token or similar?

Thanks in advance and have a nice day

[phantomate]

I could implement a token login, but I still don't understand how that would help in terms of social logins?

[LeVraiRoiDHyrule]

I could implement a token login, but I still don't understand how that would help in terms of social logins?

It's easier to implement than full social login in an app, while still allowing people using SSO to use the app. Like Jellyfin and the Quick Connect feature. True social login would require login via web. As Untare doesn't work like this currently, I guess token login would be easier

[clemone210]

Maybe it would be possible to pass also service token in the http request to the API? For my setup it is behind Cloudflare Zero Trust policies. With the service token in the header; I could bypass the authentication and I could login with the app. Atm there is api error, as the api is locked behind zero trust.

[tuetenk0pp]

I guess I would need to implement an OAuth endpoint in tandoor that can be used by applications like untare to just use the auth configured in tandoor.

@vabene1111 I totally agree this seems the right way to go as authentification would be handled by tandoor web and any individual app/client would not have to add support for the various login methods. Unfortunately, I am not capable of implementing this.

I understand that there is more important things to do. That said, of course I would appreciate the additional feature 😸

[vabene1111]

At some point I will need to review the whole authentication stack of tandoor. I support so many options (PW, LDAP, Proxy, Social Auth Providers), I would love to cut that down a bit to some standard and people who want something else can just use a specialised auth plattform, but to be honest I have no experience with auth systems so its going to be a lot of work "reading up" on the whole topic.