Replies: 9 comments 3 replies
-
Several libraries exist to ease implementation, maybe we could use: Or maybe one of these: Am available to assist maintainer with getting keycloak & oauth2-proxy working up to the point of providing a bearer token to heimdall. |
Beta Was this translation helpful? Give feedback.
-
In summary, as I write this to tempt the maintainer, once you are at the heimdall main page and have a bearer token, you also have the username of the person logged in and groups they are a member of. Seems it wouldn't take too much at that point to create a user account for the user and recognize they are logged in. (That's where I'm at now, looking at the php code and seeing how to add the username that was passed in. Not sure I'm the right person to add this. Haven't used php in quite awhile.) The other part of oidc / oauth is seeing there is no bearer token and redirecting them to the identity server. The oidc php library will do this automatically, letting you know who the person is or redirecting them to login and letting you know who the person is when they get back. |
Beta Was this translation helpful? Give feedback.
-
Maybe we can already do this by configuring laravel? |
Beta Was this translation helpful? Give feedback.
-
With the latest heimdall release I've been able to get a couple OIDC plugins to work. Upon visiting a page I'm redirected to keycloak and prompted for a login. After logging in I am redirected back to the original page ... at this point I'm showing as the default user. So, essentially the tested setup just requires a valid username and password to access the site. The pages need to accept the token passed in and use the username and groups that are provided. Features will needed to be added besides just the OIDC authentication. I'm not sure all of what is required but know of a few:
|
Beta Was this translation helpful? Give feedback.
-
Made a video for those considering implementing OIDC in their application: |
Beta Was this translation helpful? Give feedback.
-
Hi @lknite has there been any progress with this? I can't find any info in the docs. |
Beta Was this translation helpful? Give feedback.
-
If I can upvote this functionality, I'd like to integrate Heimdall with Authentik too 🙂 |
Beta Was this translation helpful? Give feedback.
-
unfortunately it does not appear that there is much interest in this feature (I type while trying to resurrect it, haha). Remote user management would be amazing for home labers as well as small orgs who want dashboards for teams to use for daily operations. If this gets added I will likely switch back to Heimdall as my browser start page. I'll keep my fingers crossed that this gets some traction! |
Beta Was this translation helpful? Give feedback.
-
I think the interest is there, it's just there seems to be one maintainer and at least a couple years ago he didn't have the time. I'll see if I can find him again and check in. |
Beta Was this translation helpful? Give feedback.
-
Goal
OpenID Connect integration
Summary
OpenID Connect (OIDC) is the latest standard for Single Sign on integration (SSO). It essentially replaces an older standard SAML, though it was never designed to replace SAML (and SAML still provides some functionality that OpenID Connect doesn't). However, due to the popularity, and easy of configuration, it has become the dominate standard.
By implementing SSO using OIDC a user may log in once to an application and then have access to multiple applications without an additional login. OIDC handles login, providing access token & refresh tokens, as well as claims such as username and group membership. By using OIDC, if configured at deployment, all users of a group or any logged in user will be able to access their own heimdall dashboard automatically, if a user is in a group configured as an administrator group, then they will have administrator access enabled by default.
Requirements
Milestones
Ideas for implementation
Harbor has a nice gui to configure oidc that we might want to copy:
Configuring harbor oidc using json which we might want to copy:
Many apps will have a main screen with an option to login in with a configured identity provider, or admin (in case an identity provider is not configured, or folks have decided to use a local user db), here's a screenshot from argocd:
Additional notes
By using oidc we'd get pretty much all desired implementations. Using keycloak for example, as the identity provider, means the keycloak admin can configure LDAP as the user federation source meaning LDAP, or github, or many others, can be used behind the scene with keycloak providing the login gui. Keycloak is redhat's upstream SSO solution. Microsoft Azure can also be used with OIDC, as well as pretty much all other identity providers.
Beta Was this translation helpful? Give feedback.
All reactions