[REQUEST] Implement OIDC authorization flow #350
Comments
|
I'd love to see this too |
|
I am looking into this right now! I want to actually revamp the auth system first, this would mean moving from the current auth system (dj-rest-auth) which is limited to basically just signup and registration, to allauth which has a lot more features like MFA and ODIC (also will make it easier to support a future AdventureLog mobile app 🤫) |
|
Using allauth is a great solution, I use it in many of my django projects. +1! Its a well thought out library, hopefully the migration isn't too painful! |
|
I am currently working on the AllAuth system in the development branch. I am just working some things out before its released but it should not require any manual migration. Thankfully Django makes the whole auth switch really easy! |
|
I'm excited for this! Thanks for putting the work in. I plan to use Authentik on my home server to do SSO and MFA, but this project supporting OIDC is gonna be a huge enhancement! |
|
Can't wait for this feature. I've been putting off deploying AdventureLog until some sort of SSO is supported. Like @spiritedsnowcat, I'll be using Authentik as an OIDC provider. I am willing to test this feature as it develops. |
|
Hi everyone! Development for ODIC auth is in full swing and is coming along great so far! I have a working demo of GitHub SSO and Authentik. I will continue to work and perfect this in the coming weeks and plan to release for the next update!! Once its beta ready I will update here for others to try. |
github-project-automation
bot
moved this from In progress
to Done
in AdventureLog Roadmap
|
Just released this on the |
|
Just pulled the latest image, and am running into a few issues. Following the docs, I get a 404 after attempting to login using SSO. My Authentik is accessible and working for all my other services with Oauth at https://auth.example.com AdventureLog is deployed to https://AdventureLog.example.com I'm away from my machine right now, so I can't paste in configs/screenshots right now. Just wondering if you've seen this bug. When I am back at my machine, I'll send a screenshot of what the error looks like, my admin panel configuration, my docker-compose.yml, and the relevant log message(s) which might help track this issue down. P.S. In the docs, there's at least one instance of Authentik being spelled |
|
Got it! take your time @UndyingSoul and send any relevant info when you are ready and I will help! |
|
Alrighty. Here's what I've got, redacting the sensitive information, example.com represents my actual tld. Error
My environment
docker-compose.ymlservices:
web:
image: ghcr.io/seanmorley15/adventurelog-frontend:latest
container_name: adventurelog-frontend
restart: unless-stopped
networks:
- proxy
- internal
environment:
- PUBLIC_SERVER_URL=http://server:8000 # Should be the service name of the backend with port 8000, even if you change the port in the backend service
- BODY_SIZE_LIMIT=100000
#ports:
# - "8015:3000"
depends_on:
- server
labels:
- "traefik.enable=true"
- "traefik.http.routers.adventurelogweb.entrypoints=https"
- "traefik.http.routers.adventurelogweb.rule=Host(`adventurelog.example.com`) && !(PathPrefix(`/media`) || PathPrefix(`/admin`) || PathPrefix(`/static`))" # Replace with your domain
- traefik.http.services.adventurelogweb.loadbalancer.server.port=3000
- traefik.docker.network=proxy
db:
image: postgis/postgis:15-3.3
container_name: adventurelog-db
restart: unless-stopped
networks:
- internal
environment:
POSTGRES_DB: adventurelog
POSTGRES_USER: dbuser
POSTGRES_PASSWORD: supersecretdbpassword
volumes:
- /docker/adventurelog/data:/var/lib/postgresql/data/
server:
image: ghcr.io/seanmorley15/adventurelog-backend:latest
container_name: adventurelog-backend
restart: unless-stopped
networks:
- internal
- proxy
environment:
- PGHOST=db
- PGDATABASE=adventurelog
- PGUSER=dbuser
- PGPASSWORD=supersecretdbpassword
- SECRET_KEY=supersecretkey
- DJANGO_ADMIN_USERNAME=adminuser
- DJANGO_ADMIN_PASSWORD=supersecretpassword
- DJANGO_ADMIN_EMAIL=adventurelog.example.com
- PUBLIC_URL=https://adventurelog.example.com # Match the outward port, used for the creation of image urls
- CSRF_TRUSTED_ORIGINS=https://adventurelog.example.com # Comma separated list of trusted origins for CSRF
- DEBUG=False
- FRONTEND_URL=https://adventurelog.example.com # Used for email generation. This should be the url of the frontend
- EMAIL_BACKEND='email'
- EMAIL_HOST='smtp.example.com'
- EMAIL_USE_TLS=True
- EMAIL_PORT=587
- EMAIL_USE_SSL=True
- EMAIL_HOST_USER='[email protected]'
- EMAIL_HOST_PASSWORD='redactedEmailPassword'
- DEFAULT_FROM_EMAIL='[email protected]'
- DISABLE_REGISTRATION=True
#ports:
#- "8016:80"
depends_on:
- db
volumes:
- /docker/adventurelog/media:/code/media/
labels:
- "traefik.enable=true"
- "traefik.http.routers.adventurelogserver.entrypoints=https"
- "traefik.http.routers.adventurelogserver.rule=Host(`adventurelog.example.com`) && (PathPrefix(`/media`) || PathPrefix(`/admin`) || PathPrefix(`/static`))" # Replace with your domain
- traefik.http.services.adventurelogserver.loadbalancer.server.port=80
- traefik.docker.network=proxy
networks:
internal:
proxy:
external: trueRelevant LogsWhere is replaced with the oauth provider id/client id?: Admin Configuration
Authentik ConfigurationI'm intentionally leaving the redirect URL empty, since, by default, Authentik puts the first successful redirect url here anyway, then I don't have to worry about fat-fingering the URL.
|
|
I think I found the issue, |
Is your feature request related to a problem? Please describe.
I would like to authorize user with external IDP and giving them access to AdventureLog without registering again.
Describe the solution you'd like
Adventurelog to support basic OIDC authorization flow. It doesn't have to be PKCE, the basic flow with client id and client secret should solve the problem
Describe alternatives you've considered
SAML and LDAP. These two approaches are more complex, and OIDC is more modern
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: