Open pr0927 opened 6 months ago
So this is about initializing the authentication flow automatically in case the user is not logged in, rather than manually having to press the login with OIDC button?
That's correct, yep! Currently on the login page it still gives the option to login with the built-in username/password, or to click the OIDC login option.
@sissbruecker I kind of had the same issue, to a degree. I noticed that when the setting LD_ENABLE_AUTH_PROXY
is set to "True", I cannot log in with either OIDC or password login. However, when I set that to "False", I can then log in with both. I don't know if this qualifies as a new issue entirely, but it's something I wanted to bring up in case I am doing something odd.
@sprjr Currently that is how the option works, as soon as you configure an auth proxy other authentication methods get disabled. Why do you want to enable both? I don't know if there is a setup where this makes sense. Theoretically your reverse proxy should deny you access to the linkding instance unless you are authenticated in the auth proxy. So even if someone wanted to access the login page, they can't unless they are authenticated in the auth proxy. If you can access the login page without being authenticated in the auth proxy, then something is wrong with your setup. That would mean that anyone who has access to your instance can bypass the login by just passing a username header in the HTTP request.
Perhaps I misphrased it. I do not want to enable both. However, when I set it to true this morning it became an "all or nothing" situation. If it was sent to true then I could log in with neither password or OIDC login. If I set it to false which I currently have, then I can log in with both password and OIDC.
When you properly configure an auth proxy, other authentication methods don't make any sense. No one can access the login page without already being authenticated in the auth proxy. If someone can access the login page, then they are already authenticated in the auth proxy, and don't need to use username+password or OIDC anymore. I'd say this works as intended.
I don't think we're correctly lining up. I can provide my config if that might make things easier? I have set up my auth proxy, but if I set LD_ENABLE_AUTH_PROXY
to "True", then I reach the log in page whether I'm authenticated to my auth proxy service or not. Then, if I click on the log in with OIDC button, it redirects me to my auth proxy, but then drops me back to the Linkding login page. It's unresponsive if I use the regular login button.
If I set LD_ENABLE_AUTH_PROXY
to "False", then I can log in using either OIDC or password. Does that make sense? From what you're saying, if I set it to "True", I should be bounced immediately to the auth proxy and not given the option to do a password login.
I have set up my auth proxy, but if I set LD_ENABLE_AUTH_PROXY to "True", then I reach the log in page whether I'm authenticated to my auth proxy service or not.
That sounds like something is not set up correctly. If you want to use proxy auth, you need to configure your reverse proxy (nginx, Traefik, etc.) to redirect you to your auth proxy if you are not authenticated.
@sprjr I'm realizing your issue - OIDC is different from proxy authorization. That setting is not supposed to be enabled if you want OIDC login.
However I still have my same issue - is there a way to force the login screen to only be the Authentik OIDC login, instead of the landing page with the option to login with either the Linkding credentials or the OIDC button?
I've been unsuccessful in figuring this out so far, if its possible.
@sissbruecker - this is a very well done app, with such rapid progress, appreciate your engagement on the issues threads.
Ah thank you, I didn't realize I had my terminology wrong.
I'd appreciate the same feature, since ultimately that's what I was getting at. Forcing OIDC and removing password login would be great.
I'd also like this feature, possibly with an automatic redirect to the OIDC provider. I'd also be open to implement it myself, if you need/want the help.
Hi all, just wanted to see if this is an option somewhere, or if not, humbly request if it could be added. I've gotten Authentik working for SSO via OIDC for Linkding, and it seems to be working correctly (fingers crossed the mobile app and browser extension don't have errors).
However, I was hoping to bypass the login screen where it's merely an option to choose the OIDC login, and force it to the Authentik login page instead.
I know this is something requiring explicit toggling for other apps (Nextcloud and Bookstack for instance) - did not know if that was already the case here, and if so how.