Request: Alternate authentication - Google Oauth, Authelia, etc

[Veeedka]

Hey there @jfroment,

This is a solid collection of tools! My only request for this is to set up some alternate authentication methods rather than basic HTTP auth - I've been trying to work through how to modify the collection of scripts to do this, however authentication is fairly deeply rooted in everything, so I'm getting a bit stuck.

Thank you!

[jfroment]

Hello,

Yeah I agree, a more complete authentication system is missing from this project, and that's why the next version will include it.
In the meantime you could try the still work-in-progress branch sso in git.
In there, there is alpha support for Authelia and integration in script and config files.

What is working:

• SSO authentation using Authelia (field sso: true for any service in config.yaml)

What is missing:

• Sample Authelia config files, you have to provide them.
• Documentation and examples
• Bypasses for external apps, such as LunaSea api endpoints.
• Configuration automation
• Testing. There might be some issues.
• Configuration migration from simple http auth to SSO.

I plan to move forward with it this summer, but I also discovered Zitadel which seems more customizable so I will do some tests. I cannot garantee Authelia will be the solution this project will use.

Hope this helps, in the meantime do not hesitate to give some feedback on this early implementation if you feel there is need.

Regards

[Jemmay]

Any update on this?
Love your project, so i tried to look into integrating it myself, but decided to just wait in case you was about to release a new version. 👍

[CosmicWebCreator]

@jfroment I implemented authentik in the seedbox. Can I create a PR ? It uses the config file to add authentik to any services. However, the user will have to configure the domain level redirect within authentik.

[jfroment]

Yes there have been some improvements lately, Authentik is already configured in the sso branch (I replaced Authelia which was lighter but maybe too opinionated), which I re-aligned with the dev one recently.
Basically, in the sso branch, a sso flag on any rule can be set to redirect SSO auth to Authentik, like this:

Of course you'll have to enable the Authentik service first.

Behind the scenes, an additional Traefik router is added to the dynamic rules, to redirect to Authentik services behind it.
It is up to the user to add an outpost + provider and related configuration in Authentik itself,so basically what is missing is documentation, and a way to maybe semi-automate some rules (for example, skip sso for /api paths in sonarr or radarr to make them work in mobile apps, I'm thinking of LunaSea for example).

Any improvements and contributions are welcome in this branch, please do not hesitate to get onboard :)

[CosmicWebCreator]

@jfroment Wow ! I just checked the branch and you pretty much did what I did! Good job! You even added Authelia! The only difference between your branch and mine is now Uptime Kuma and a usenet downloader (sabnzbd).

On the sso branch, I have a few suggestions :

1. remove root and input the user PID and GID instead (it works for me and I try to avoid running anything in root)
2. I separated the redis and the postgres incase anybody would need these also for something else.... after all, they are individual services just like flood to deluge.
3. authentik-worker should use latest as well since the server uses latest version.

If you agree, I can make a PR. If not, it is ok also :).