Support SSO (Oauth2, OIDC, or SAML) #4
Comments
|
Any updates on this? It's the last thing I need backed I can pitch using it for Christmas with my family I was looking around and came across this: https://flask-oidc.readthedocs.io/en/latest/# I don't have a ton of experience with python this complex overall but I thought I might as well throw some time at it when I can and see if anything works out |
|
Hello, I've worked on something using Keycloak and OpenID Connect. I've managed to get the information of the user who logs in. I find this very complicated, I know it's authentication so it cannot be simple. It may take a bit of time since I've never worked in that. Thanks for being still interested. |
|
I've been using Authelia up until now, but I've been trying out Authentik as well. Both support OIDC so they should be compatible regardless For the identifier, I'm thinking a username might be better? Both Authelia and Authentik require a username, but the email field is optional. Although for Authelia, I always pass 'openid' 'profile' 'email'. There's a lot of information in Authelia's docs about OIDC scopes, which may help. That link is for OIDC 1, and there's an OAuth 2.0 section as well. And this is the OAuth 2.0 section for Authentik |
|
I've implemented the oidc in the development branch. you need to edit the .env file here my config, I use Keycloak since it simple to install, I think it should work on Authelia, can you try please? You will need to change the urls for logout and config. I used cloud-iam for keycloak. Fill the others values, I will change the variables name later. You can compare two value so if the user don't have an email it will use the username. Here an image: |
|
Here is my new And my When I try to load Opening a shell within the container and running Here's a picture of the configuration panel within Authentik, if it helps: Edit: By the way, if you don't want to maintain two separate repos for the stable and dev versions, Docker Hub allows you to use manifests like |
|
Hello, just installed Authentik and tested myself. Everything worked correctly. Could you just make sure your user have the right logins info (emails are similar or usernames) and you also may restart the container after updating the .env in /setup. |
|
Unfortunately I've still not been able to get it working. So far I've tried:
Everything still results in the same error. Can you provide the environment variables you're using for your Authentik setup? |
|
OK, here is the detailed steps I've done:
The Linode is deleted, don't worry for personal infos. |
|
Oh... I didn't go into that /setup page at all. Would it make more sense to make these environment variables that can be set within the Anyway, once I set everything within that page, it srtated to work, sort of. I set the redirect URL: to |
|
Also it would be really helpful to (maybe as an option) automatically create new GiftManager accounts if a user successfully authenticates with OIDC but does not have a user registered with GiftManager yet |
|
I'm almost done writing everything for release. I just need to know how you want to set the environment variables in the Docker Compose. I'm not sure what the best way to do this is; any recommendations or tips are welcome. |
|
Within the That And inside the |
Able to connect via an OpenID connect provider. Admin can choose scope to compare and allow auto registration.
|
Just pushed the changes, it also allow auto-registration. Sadly I didn't successfully implemented a way to put the values in the docker-compose. You will have to either modify the .env via docker exec or in /setup . I will write the documentation related to OIDC soon. Thanks for the help. |
|
Thank you! |
|
Tried configuring Google as my OIDC provider, but am getting this error when attempting to load https://gift.[redacted].net/login_oidc Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1536, in __call__
return self.wsgi_app(environ, start_response)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1514, in wsgi_app
response = self.handle_exception(e)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1511, in wsgi_app
response = self.full_dispatch_request()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 919, in full_dispatch_request
rv = self.handle_user_exception(e)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 917, in full_dispatch_request
rv = self.dispatch_request()
^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 902, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) # type: ignore[no-any-return]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/app.py", line 152, in login_oidc
nonce = secrets.token_urlsafe(16)
^^^^^^^^^^^^^^^^^^^^^^^^^
NameError: name 'secrets' is not definedHere is my .env file: And docker compose file: |
|
Yeah, good. Now corrected; see v.1.0.2 |
|
It seem that there is a small bug with the auto registration feature. I'm on it. I still don't know the cause. |
|
The issue is now fixed. See v1.0.3 |
Allow user provisioning / access to be controlled via a separate IdP.
The text was updated successfully, but these errors were encountered: