Replies: 26 comments 3 replies
-
LDAP support (#198) is fairly similar to this request, though this is more about SSO -- redirecting the user to the authentication server rather than requiring them to type their username and password again. |
Beta Was this translation helpful? Give feedback.
-
We would like to do Google Authentication, we already use this for all our other internal tools and it works really well taking the security burden away from us. Can this be added? I think this would be invaluable for your amazing tool. |
Beta Was this translation helpful? Give feedback.
-
Another way of approaching this would be to allow HTTP Headers to authenticate a user - in a similar way to Grafana or Zabbix (among many other tools) do. Alternatively, I've got Adding ADFS support was pretty simple (in the same way that adding plain AD support seemed easy in #198). I just needed to make sure that |
Beta Was this translation helpful? Give feedback.
-
@jameskirsop I would love to see any changes you've made to make ADFS work. Could you share those here, or perhaps as a gist? |
Beta Was this translation helpful? Give feedback.
-
@evaryont, installed Added the appropriate config to And used this:
A couple of caveats I've found:
The way I get around both of these, currently, is manually copying the token created by Healthcheck, deleting the 'invited' account created by Healthcheck (via Not using |
Beta Was this translation helpful? Give feedback.
-
A few hours later and I've made some significant progress with working around the above. I've subclassed the I'm going to do some more testing and then put together a PR for a secondary backend that can optionally be used to bridge the divide between HealthCheck and ADFS. |
Beta Was this translation helpful? Give feedback.
-
References: |
Beta Was this translation helpful? Give feedback.
-
I have the ultimate hack, adding OpenID Connect support to Healthchecks without modifying any code: from .settings import INSTALLED_APPS as settings_ia
from .settings import AUTHENTICATION_BACKENDS as settings_ab
from .settings import ROOT_URLCONF as settings_ru
INSTALLED_APPS = list(settings_ia)
INSTALLED_APPS.insert(INSTALLED_APPS.index("django.contrib.auth")+1, "mozilla_django_oidc")
INSTALLED_APPS = tuple(INSTALLED_APPS)
AUTHENTICATION_BACKENDS = settings_ab + ("mozilla_django_oidc.auth.OIDCAuthenticationBackend",)
OIDC_RP_CLIENT_ID = "client-789"
OIDC_RP_CLIENT_SECRET = "secret-123"
OIDC_OP_AUTHORIZATION_ENDPOINT = "https://example.com/openid-connect/auth"
OIDC_OP_TOKEN_ENDPOINT = "https://example.com/openid-connect/token"
OIDC_OP_USER_ENDPOINT = "https://example.com/openid-connect/userinfo"
OIDC_OP_JWKS_ENDPOINT = "https://example.com/openid-connect/certs"
OIDC_RP_SIGN_ALGO = "RS256"
LOGIN_REDIRECT_URL = '/'
from django.urls import path, include
from django.views.generic.base import RedirectView
from types import ModuleType
# Create a dynamic module that injects some additional routes before HC's
sys.modules['sneaky_url'] = ModuleType('sneaky_url')
class _Sneaky(ModuleType):
@property
def urlpatterns(self):
return [
path('oidc/', include('mozilla_django_oidc.urls')),
path('accounts/login/', RedirectView.as_view(url='/oidc/authenticate', permanent=True)),
path('', include(settings_ru))
]
sys.modules['sneaky_url'].__class__ = _Sneaky
ROOT_URLCONF = 'sneaky_url' Copy & paste this into @cuu508 I'm sorry for this horrible python but it's pretty clever, eh? |
Beta Was this translation helpful? Give feedback.
-
@evaryont that's quite a hack indeed! 👍 I'm interested in adding "official" OpenID Connect support into the project and the hosted site as well. Picking the default identity providers will be tricky, but starting with Github and Google seems reasonable. Checking out mozilla-django-oidc library now – looks like it's designed to support a single, preconfigured identity provider, right? |
Beta Was this translation helpful? Give feedback.
-
Indeed, looking around there isn't a way to configure it to support multiple providers simultaneously. You might be able to get it working by creating multiple applications, one for each provider, but boy that does sound hacky. |
Beta Was this translation helpful? Give feedback.
-
Is anyone working on this? I'd be most interested in Keycloak integration and I see that there is https://django-keycloak.readthedocs.io/en/latest/. Is anyone against me taking a stab at integrating this just for Keycloak? |
Beta Was this translation helpful? Give feedback.
-
Hi @decentral1se – here's a quick summary of my plans and the current situation.
I'm not familiar with Keycloak (or, to be completely honest, with the other mentioned technologies), would Keycloak work as another OIDC identity provider? If that's the case, we should plan for supporting other OIDC providers in future too. |
Beta Was this translation helpful? Give feedback.
-
Keycloak, https://github.com/dexidp/dex or generic oidc provider connector is always good start, because these will allow to You "federate" from other upstream oidc providers. |
Beta Was this translation helpful? Give feedback.
-
@cuu508 is there any progress ? |
Beta Was this translation helpful? Give feedback.
-
@lukasmrtvy from my side, unfortunately no. |
Beta Was this translation helpful? Give feedback.
-
Here's a blob of the subclasses I wrote for I don't know, @cuu508, if you'd like to have this in the project to allow for some support of third party logins for those who are hosting themselves?? It might be a little niche, but it would solve the problem for a number of people who've posted on this issue. I'm happy to create a PR for this after writing up some documentation, if you'd like to have it included. |
Beta Was this translation helpful? Give feedback.
-
I used djangosaml2 for doing SAML2 authentication, an example in my fork here, see saml2_sp and requirements: |
Beta Was this translation helpful? Give feedback.
-
+1 for this feature! |
Beta Was this translation helpful? Give feedback.
-
I'd suggest also SATOSA as IAM Proxy |
Beta Was this translation helpful? Give feedback.
-
With the HTTP header auth merged in, I think the only thing that remains would be an example configuration of something like the following stack:
Documenting that and referring people to it should hopefully provide the foundation for plugging in whatever authentication proxies people would like. @cuu508 the only I'd like to ask of you is do you have a list of routes that should be excluded from from authentication? I could make some guesses, but it would be nice to be more confident about the choices. |
Beta Was this translation helpful? Give feedback.
-
Hi @nogweii, here'sthe list of routes that I think would make sense to be excluded from authentication:
|
Beta Was this translation helpful? Give feedback.
-
Soooo... did anyone managed to get it to work? Right now i'm trying to authenticate via Authentik with Traefik, but i can't get it to work... |
Beta Was this translation helpful? Give feedback.
-
I currently have no plans to add OIDC authentication options. I want to preserve the discussion in the comments, so I'm converting this issue to a discussion rather than closing it. |
Beta Was this translation helpful? Give feedback.
-
A very simple version of the oauth2-proxy/healthchecks setup (on k8s) is described here: https://github.com/CloudyneS/healthchecks-k8s-oidc. We recently set it up and it seems to be working well overall. I have not specified the routes as explicitly as @cuu508 described, it's more of a working POC setup for adding authentication via OIDC that can be further customized. Will probably add those options at some point and convert it to a chart/something more complete and add a POC for docker as well. |
Beta Was this translation helpful? Give feedback.
-
Need it, everything should have it. It's the future. |
Beta Was this translation helpful? Give feedback.
-
Hello guys, Do you plan to add it near 2024 ? We need this feature 😇 |
Beta Was this translation helpful? Give feedback.
-
It would be nice if healthchecks supported OAuth/OpenID Connect or similar for on-premise deployments. That way a user could be redirected to a central IAM platform (AWS's, Active Directory's Federated Services, Keycloak, there a number of similar providers and tools) that they likely are already logged in to.
Beta Was this translation helpful? Give feedback.
All reactions