sissbruecker / linkding

Self-hosted bookmark manager that is designed be to be minimal, fast, and easy to set up using Docker.
https://linkding.link/
MIT License
6.8k stars 325 forks source link

Disable Local Login After Enabling Authentik OIDC #730

Open pr0927 opened 6 months ago

pr0927 commented 6 months ago

Hi all, just wanted to see if this is an option somewhere, or if not, humbly request if it could be added. I've gotten Authentik working for SSO via OIDC for Linkding, and it seems to be working correctly (fingers crossed the mobile app and browser extension don't have errors).

However, I was hoping to bypass the login screen where it's merely an option to choose the OIDC login, and force it to the Authentik login page instead.

I know this is something requiring explicit toggling for other apps (Nextcloud and Bookstack for instance) - did not know if that was already the case here, and if so how.

sissbruecker commented 6 months ago

So this is about initializing the authentication flow automatically in case the user is not logged in, rather than manually having to press the login with OIDC button?

pr0927 commented 6 months ago

That's correct, yep! Currently on the login page it still gives the option to login with the built-in username/password, or to click the OIDC login option.

sprjr commented 2 months ago

@sissbruecker I kind of had the same issue, to a degree. I noticed that when the setting LD_ENABLE_AUTH_PROXY is set to "True", I cannot log in with either OIDC or password login. However, when I set that to "False", I can then log in with both. I don't know if this qualifies as a new issue entirely, but it's something I wanted to bring up in case I am doing something odd.

sissbruecker commented 2 months ago

@sprjr Currently that is how the option works, as soon as you configure an auth proxy other authentication methods get disabled. Why do you want to enable both? I don't know if there is a setup where this makes sense. Theoretically your reverse proxy should deny you access to the linkding instance unless you are authenticated in the auth proxy. So even if someone wanted to access the login page, they can't unless they are authenticated in the auth proxy. If you can access the login page without being authenticated in the auth proxy, then something is wrong with your setup. That would mean that anyone who has access to your instance can bypass the login by just passing a username header in the HTTP request.

sprjr commented 2 months ago

Perhaps I misphrased it. I do not want to enable both. However, when I set it to true this morning it became an "all or nothing" situation. If it was sent to true then I could log in with neither password or OIDC login. If I set it to false which I currently have, then I can log in with both password and OIDC.

sissbruecker commented 2 months ago

When you properly configure an auth proxy, other authentication methods don't make any sense. No one can access the login page without already being authenticated in the auth proxy. If someone can access the login page, then they are already authenticated in the auth proxy, and don't need to use username+password or OIDC anymore. I'd say this works as intended.

sprjr commented 2 months ago

I don't think we're correctly lining up. I can provide my config if that might make things easier? I have set up my auth proxy, but if I set LD_ENABLE_AUTH_PROXY to "True", then I reach the log in page whether I'm authenticated to my auth proxy service or not. Then, if I click on the log in with OIDC button, it redirects me to my auth proxy, but then drops me back to the Linkding login page. It's unresponsive if I use the regular login button.

If I set LD_ENABLE_AUTH_PROXY to "False", then I can log in using either OIDC or password. Does that make sense? From what you're saying, if I set it to "True", I should be bounced immediately to the auth proxy and not given the option to do a password login.

sissbruecker commented 2 months ago

I have set up my auth proxy, but if I set LD_ENABLE_AUTH_PROXY to "True", then I reach the log in page whether I'm authenticated to my auth proxy service or not.

That sounds like something is not set up correctly. If you want to use proxy auth, you need to configure your reverse proxy (nginx, Traefik, etc.) to redirect you to your auth proxy if you are not authenticated.

pr0927 commented 2 months ago

@sprjr I'm realizing your issue - OIDC is different from proxy authorization. That setting is not supposed to be enabled if you want OIDC login.

However I still have my same issue - is there a way to force the login screen to only be the Authentik OIDC login, instead of the landing page with the option to login with either the Linkding credentials or the OIDC button?

I've been unsuccessful in figuring this out so far, if its possible.

@sissbruecker - this is a very well done app, with such rapid progress, appreciate your engagement on the issues threads.

sprjr commented 2 months ago

Ah thank you, I didn't realize I had my terminology wrong.

I'd appreciate the same feature, since ultimately that's what I was getting at. Forcing OIDC and removing password login would be great.

yuri-becker commented 1 month ago

I'd also like this feature, possibly with an automatic redirect to the OIDC provider. I'd also be open to implement it myself, if you need/want the help.