Skip to content

WIP: OIDC with Authelia #2149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: dev
Choose a base branch
from
Draft

WIP: OIDC with Authelia #2149

wants to merge 2 commits into from

Conversation

Josue-T
Copy link
Contributor

@Josue-T Josue-T commented Aug 8, 2025
edited
Loading

The problem

YunoHost/issues#676

Solution

Replace the current SSO (ssowat by Authelia with provide natively OIDC)

PR Status

Work in progress

Related PR: YunoHost/yunohost-portal#34

How to test

  • Checkout the branch
  • Install Authelia

TODO

  • (WIP) Fix portal API to work with Authelia
  • add new authelia configuration
  • handle the debian packaging of authelia as dependency
  • rework nginx config
  • migrate permission handling from ssowat to Authelia
  • cleanup all dependency to ssowat and replace it with Authelia
  • rework the way we handle the portal domain. With authelia the portal domain for example.com could be by example -auth.example. com, so we need to add a way to be able to define the portal domain for each main domains.
  • provide a compatibility layer for nginx config of apps (ideally we need to provide it for packaging v1,v2) and we can maybe introduced a new recommended configuration for packaging v3 with breaking change ? cf WIP: Packaging v3 #2070
  • provide a new resources for apps for OIDC configuration
  • probably we need to write a migration for some stuff... ?

@Josue-T Josue-T changed the title [draft] Fix portal API to make it working with Authelia WIP: OIDC with Authelia Aug 8, 2025
@Josue-T Josue-T mentioned this pull request Aug 8, 2025
Draft
7 tasks
Josue-T
Josue-T commented Aug 13, 2025
View reviewed changes
src/portal.py Outdated
else:
# Otherwise we use the encrypted password stored in the cookie
# TODO we need a to fix this case without having the password because authelia don't provide any password
raise NotImplemented()
Copy link
Contributor Author

@Josue-T Josue-T Aug 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zamentur, @alexAubin, any idea how to handle this case ? The issue now with Authelia is that we don't have the password so we can't just authenticate to LDAP with the user credentials. I thought about theses possibilities:

  • Request the user to provide the password (in a popup), this can also be considered as a security to "reauthenticate" the user to change the user settings.
  • Do some tweak with the LDAP authentication (by example with unix socket maybe) to give the possibility to portal-api to send edit request to LDAP without needing to do a authentication with user/password.
  • Or we can also decide to create a dedicated system user for the SSO operation. Event if we can allow Anonymous request with Authelia, they really recommend to use Authentification. There are this issue about this: Support anonymous lookup in LDAP authelia/authelia#101. In case we would like at some point to implement password reset we will need the authentication, so to me it's also an option that we need to think about.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Naively I would say that people should re-provide the password ...

Otherwise we need to make the user running the ynh-portal api able to modify any LDAP account attribute (or maybe we could restrict to "everything but the password") but that feels very meh

@alexAubin alexAubin added the 🏗️ Major project Big decision label Aug 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexAubin alexAubin alexAubin left review comments

Assignees

No one assigned

Labels

🏗️ Major project Big decision

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Josue-T @alexAubin