Implement SSO options

[hellcp]

For integration into existing infrastructures, we should have an option for setting up auth with LDAP, SAML or OpenID Connect. One of many reasons why Debian Social might have issues with integrating Pixelfed into their existing login system.

[Thatoo]

Mastodon, Pleroma, Peertube all implement LDAP now so they all integrate perfectly well in project like Yunohost and Freedombox.

[RealBurgerGod]

I'd love to have one login to rule them all... Looking forward to ldap/sso support!

[rasos]

LDAP is being superseded at many organisations with oAuth2 / OpenID Connect. This gives the users a seamless experience by offering the login token without the need to enter username and password at each service. We use keycloak for identity management, which also can connect to an OpenLDAP or AD user base.

[mprajescu]

Just checking... are there any updates on this?

[aleighco]

Also looking for LDAP

[jakehamilton]

Would love to see OIDC support added so I can roll pixelfed out under my existing infrastructure.

[ser]

I would vote for SAML - it's much more flexible than LDAP and can also integrate LDAP among others

[p00rt]

hey, this was added to 0.11.0 project. are there any updates on this feature? lack of OAUTH is basically a dealbraker for me :c

[decentral1se]

Have an existing online 100+ user group with Keycloak accounts (OpenID Connect) who want to use pixelfed for a trial run and I just can't do it without SSO options. Glad to see this ticket and hoping to see it get implemented one day. Thanks for all the work so far.

[ghost]

+1 for LDAP as a starting point. On top of this other auth mechanisms can be built, I think...

[ser]

It's completely opposite, SAML is a basis for authentication, LDAP can be one of its account verification sources.

[jakehamilton]

Chiming back in, I have a similar situation to @decentral1se. Currently running Keycloak and planning to migrate to Ory so OAuth / OIDC would be needed to support this.

I have next to no experience in PHP so I won't be of much help, but is anyone else interested in working on this? Perhaps we could outline what needs to be done here so that someone could contribute the feature?

[jakehamilton]

I'll also mention that choosing OIDC would let people using other providers easily integrate by proxying with Dex. That way everyone gets support while Pixelfed only needs to target one provider.

[sama8]

If relevant -> SAML Jackson

[Lurkars]

+1 for OpenID Connect.

[osresearch]

I have PixelFed working with Keycloak OIDC for SSO, although the pull requests would really appreciate eyes from someone who knows PHP. https://github.com/pixelfed/pixelfed/pull/3436

[jakehamilton]

@osresearch this looks very promising! I've limited PHP experience so I won't be of much use outside of general code quality comments. Though, right now I'm not sure that's what this PR needs since it is in flux.

[twe-syde]

Are there any news on that? Since I, like many others these days, plan to set up an own Mastodon instance that can act as an OpenID Connect provider, it would be great to have pixelfed client-side support as well.

[osresearch]

I've rebased my OIDC patches to dev 2bb27229f3f8c315d193010106fc328b6f3ac578 and it seems to work, although there will also probably need to be some hacks to support the mobile app. Currently when I try to connect to my test server via the app it gets the /api/nodeinfo/2.0.json and then tries to post to the /api/v1/apps endpoint, but fails to make further progress.

[osresearch]

The SSO patches in #3436 are working well enough for our small community that we've moved it from testing into production and folks are using it with the testflight mobile app. One note is that OAUTH_ENABLED has to be turned on in the config to allow the app to connect to the server.

[jdkruzr]

Hi -- are we getting close to OIDC being usable? I'd love to go with that instead of "raw" LDAP since the way I do LDAP for Mastodon is with OIDC -> Keycloak -> LDAP (which has the added benefit of effectively creating a self-registration portal for my LDAP directory).

[osresearch]

@jdkruzr login via Keycloak is working well enough for our small community, both via the web site and the app. I've pushed a docker image that has the patches applied and deployed in production via https://git.v.st/vst/env/src/branch/single-dockerfile/pixelfed.yaml

[jdkruzr]

@jdkruzr login via Keycloak is working well enough for our small community, both via the web site and the app. I've pushed a docker image that has the patches applied and deployed in production via https://git.v.st/vst/env/src/branch/single-dockerfile/pixelfed.yaml

thanks. my deployment is "bare metal" so hopefully this gets merged in soon!

[w4tsn]

As others already mentioned OIDC is the latest authentication standard and allows to connect arbitrary oauth2 providers and use other source such as LDAP through an authentication provider like keycloak or kanidm. While e.g. keycloak also supports SAML the SAML method is slow and rather convoluted compared to OIDC, so I think OIDC deserves prio here

[osresearch]

The recent "Add Sign-in with Mastodon" changes implemented a remote user model that is specialized for talking to a Mastodon server, rather than using OIDC. I had hoped that this patch (or something similar) could have been cleaned up and merged instead of special-casing the remote auth to a single provider.

Perhaps the code in RemoteAuthService.php can be hacked to support OIDC instead, although I haven't had time to dig into it. The Mastodon sign-on also doesn't have any role support or single-sign-off, so there are other things that would need to be added to bring it up to parity with this PR.

[jdkruzr]

would be nice! I would also accept fixing the LDAP login problem where it tries to auth users via an LDAP attribute ("email") that doesn't exist.

[xundeenergie]

I would be happy, if OIDC will work with pixelfed...