Feature Request: Add Support for OAuth

[fullstackpotato]

Bit of a luxury request, but also similar to ticket #88

Would it be possible to implement support for OAuth based authentication? This would allow users to centralise their user management using something like Keycloak. Preventing the mismatching of passwords and alike, also this would allow keycloak to handle additional account hardening such as Multi Factor Authentication.

[vabene1111]

i like the idea. Probably not something that is super easy to do but definitly something i want to take a look at in the future

[legobuild]

Another vote for Keycloak integration. I'm planning to replace my current DokuWiki recipe site with this project. It's not a must-have feature, but would be nice to have. Here are a couple links on adding OAuth2 and Keycloak to Django projects:

https://www.toptal.com/django/integrate-oauth-2-into-django-drf-back-end
https://django-keycloak.readthedocs.io/en/latest/

[vabene1111]

thanks for the request. These are features i would definitely like to add in the future but will probably not be around for a while as many other (more requested) features are the priority and my time is a little sparse ...

[legobuild]

That makes sense. Thanks for the great work so far.

[mprajescu]

My opinion is that SSO is a MUST in today's self hosting environment. Family, parents, friends, have an account in my setup and if the application doesn't support it, usually I go with something that allows me to connect to keycloak or find an alternative solution/workaround to get the job done.

This might change soon, when Nginx Proxy Manager gets OIDC access list. This will allow me to add applications as a single user and restrict the site to authenticated users. Time will tell, but I would definitely would like to see SSO implemented for recipies.

[vabene1111]

thanks for the feedback 👍 There is already support for proxy authentication (like authelia) which i guess could be integrated with any SSO but OAuth and possible other providers are definitly something i want to add

[bloomcake]

maybe something to look at (I also use it for some projects already): https://github.com/pennersr/django-allauth easy to implement and configure. and around auth it actually provides everything important

[vabene1111]

thank you very much, i had hoped that there would be an easy to use django auth plugin to use for integration 👍

[vabene1111]

Ok i have implemented basic support for Oauth on the new featzre/allauth branch

Several things still need to be done

• disable social registration / instantly logout users without groups (this page is not meant for public signup)
• disable password registration
• customize templates for login/logout
• make sure no unwanted routs are present that could cause permission issues

[vabene1111]

Ok so i have implemented django allauth (which was not to hard) and were able to disable signup. Now i myself do not use a central authentication system for my self hosted systems so i dont really now your requirements. Because of this i have same questions:

1. Is Allauth actually what you need ? It has a huge number of providers that are supported but from what i see things like SAML are not supported. So what services are actually used by the self hosting community to facilitate central account management ?
2. I do not want to enable signup for the application as it is not meant to be run publicly. There is already a feature to send an invite link to someone and allow them to signup. OAuth only really makes sense when signup is enabled. How do you normally go about doing this. Do you create manual accounts and then link another authentication method to the existing account ?

I currently see two options but maybe there is a better way of doing it

1. automatically logout users without groups and enable signup for everyone. In the future (once the permission system is more sophisticated) i could also show a special page)
2. Disable signup, have the superuser create accounts, log into them and then manually connect them to the central auth system https://stackoverflow.com/a/64110735/6478110

[mprajescu]

The way it works, signup is disabled on the recipes site.
You provision an account on the IDP, for this example, Keycloak.
The user signs up on Keycloak or the account is provisioned there and then when he comes to the recipes sign in page, he is redirected to Keycloak login page, where he would sign in with his already provisioned credentials.
Keycloak then sends a token to authorize recipes site to pull username/email and any other relevant data to create a local skeleton account.
The skeleton account is used on the recipes app to make changes as a normal local account would do.
Allauth deals with all of it, all you have to do is configure Keycloak with your information. The authorization, URL, the callback URL for recipes, etc.

[vabene1111]

This definitely makes sense if you use an identiyprovider like keycloak where only trusted people even have accounts.

Since allauth also supports github, google etc. i will need to either disable those or find a way that those users dont get any rights when they sign up 🤔 but ok, you have already helped me a lot !

[vabene1111]

Allauth support was added with the latest beta and will be included in the next release.

se the docs for more information.

It would be a great help if someone could spin up a beta instance and test if it works with their setup. Image should be released in half an hour or so

[jannislehmann]

Hey, I just tested the beta image and it works great with Keycloak. I had some hiccups during the setup. The example.com site did not exist at the beginning and I ran into an internal server error after deleting it. Unfortunately, I did not save the logs. But it is working great now. Thanks!

[vabene1111]

perfect, if you feel like anything is missing in the docs or unintuitive let me know