Comment

HelloRoot@lemy.lol ⁨3⁩ ⁨days⁩ ago

I think OP is talking about auth in services that you selfhost.

For example elster.de forces you to sign in by entering a username and uploading a cert file.

But mostbselfhosted services only have username/password logins.

Sort:hotnew top

jeena@piefed.jeena.net ⁨3⁩ ⁨days⁩ ago
That sounds like aPasskey

source
- HelloRoot@lemy.lol ⁨3⁩ ⁨days⁩ ago
  It does sound like one, but it isn’t.
  
  Passkey
  
  Per-service key pair, unique per domain, Identity bound only to that specific account on that site
  
  Challengeresponse via WebAuthn
  
  Trust anchored only in the target service (no external CA)
  
  Private key sealed in OS / secure hardware keystore
  
  Certificate login
  
  Single global identity usable across many services
  
  TLS client authentication with certificates
  
  Trust established via certificate authorities and chain validation
  
  Private key stored in exportable file or smartcard
  
  source
  - GreenCrunch@piefed.blahaj.zone ⁨2⁩ ⁨days⁩ ago
    Thanks for the explanation!
    
    source
- Appoxo@lemmy.dbzer0.com ⁨2⁩ ⁨days⁩ ago
  Nope it’s a P12 certificate
  
  source
northernlights@lemmy.today ⁨2⁩ ⁨days⁩ ago
Yep which is why I use oauth2-proxy between these services and casdoor.

source
Flipper@feddit.org ⁨3⁩ ⁨days⁩ ago
If a service doesnt offer Oidc, just dont self host it. The SSO service can then be properly secured and even if its only a password, at least its not reused.

source
- melmi@lemmy.blahaj.zone ⁨3⁩ ⁨days⁩ ago
  Just put everything that doesn’t have OIDC behind forward auth. OIDC is overrated for selfhosting.
  
  source
Appoxo@lemmy.dbzer0.com ⁨2⁩ ⁨days⁩ ago
That is certificate based

source

Passkey