669
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 08 Jan 2024
669 points (99.0% liked)
Selfhosted
39206 readers
302 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
I'm intrigued. How does it work? Do you have a link or an article to point me to?
The general principle is called single sign on (sso).
The idea is that instead of each all keeping track of users itself, there is another app (sometimes called an identity provider) that does this. Then when you try to log into an app, it takes to the to login of your identity provider instead. When the IP says you are the correct user, it sends a token to the app saying to let you access your account.
The huge benefits are if you are already logged into the IP on a browser for example, the other apps will login automatically without having to put in your password again.
Also for me the biggest benefit is not having to manage passwords for a large number of apps so family that uses my server have 1 account which gives them access to jellyfin, seafile, immich, freshrss etc. If they change that password it changes it for everything. You can enforce minimum password requirements. You can also add 2FA to any app now immediately.
I use Authentik as my identity provider: https://goauthentik.io/https://goauthentik.io/
There's good guides to settings it up with traefik so that you get let encrypt certificates and can use traefik for proxy authentication on web based apps like sonarr. There are many different authentication methods an app can choose to use and Authentik essentially supports everything.
https://youtu.be/CPURnYaW3Zk
SSO should really be the standard for self hosted apps because this way they don't have to worry about ensuring they have the latest security for user management etc. The app just allows a dedicated identity provider to worry about user management security so the app devs can focus on just the app.
Authentik is pretty good. Authelia is good too, and lighter weight.
You can combine Authelia with LLDAP to get a web UI for user management and LDAP for apps that don't support OpenID Connect (like Home Assistant).
If you have to add a whole other app the match what authentik can do, is authelia really lighter weight?
Im joking because authentik does takes a decent chunk of ram but having all protocols together is nice. You can actually make ldap authentication 2FA if you want.
Interesting... How does Authentik do 2FA for LDAP?
I'm going to try it out and see how it compares to Authelia. My home server has 64GB RAM and I have VPSes with 16GB and 48GB RAM so RAM isn't much of an issue :D
Because authentik uses flows, you can insert the 2FA part into any login flow (proxy, oauth, ldap etc)
https://youtu.be/whSBD8YbVlc
LDAP sends username and password over the network though... It doesn't use regular web-based authentication. How would it add 2FA to that?
The above YouTube video shows that you can get authentik to send a 2fa push authentication that requires the phone to hit a button in order to complete the authentication flow.
Ohhhh, interesting. Sorry, I didn't watch the video yet. Thank you!!
Here is an alternative Piped link(s):
https://piped.video/whSBD8YbVlc
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source; check me out at GitHub.
Thank you for the detailed answer! It seems really interesting and I will definitely give a try on my server!