Comment

Comment on Simple authentication for homelab?

krash@lemmy.ml ⁨3⁩ ⁨months⁩ ago

Sorry for the off topic question, but what are the gains / constraints of using an identity / authentication service? Sure, you only are going to need to remember one password/identity. But each webapp must have support for the said protocol, and so does their clients, no? It does seem like a lot of work (and risk exposure) for little gain.

Please enlighten me if I’m wrong!

source

Sort:hotnew top

chiisana@lemmy.chiisana.net ⁨3⁩ ⁨months⁩ ago
Most of the apps I use support external authentication using popular standards (OAuth for most part). This means the clients will also support the said standards out of the box. Having a standardized authentication flow makes logging in much easier as well.

I also don’t want to deal with passwords… because I don’t trust myself to handle passwords. So before settling down on Authentik, I used FusionAuth to do OIDC via Google. Then I discovered I could do WebAuthn / Passkey with Authentik, so the portal really only ever need to know my public key, and approves access based on private keys, which are gated by my devices’ biometric features. This is way more secure than other solutions and I don’t even need to remember a password.

The one edge case I’ve encountered is a couple of apps recently transitioning to mandating authentication, but doesn’t have OIDC integration of their own. Fortunately, there’s a hidden config flag in XML that I can use to tell them that I have externally managed authentication, and I gate access to them via a middleware in my reverse proxy. As for client, my client of choice allows me to add custom HTTP headers, so I have a special “API key” kind of header that my reverse proxy looks at, which allow me to bypass authentication, so everything works nicely together.

In my mind, using the vanilla out of the box authentication feels less secure than me gating things via OIDC or middleware. This is because everyone knows they could Google for “Powered by WordPress” or similar phrase to target specific apps with known authentication exploit. However, by switching it up and using a different mechanism, the common exploit vectors might not be as effective against my deployment.

source
johntash@eviltoast.org ⁨3⁩ ⁨months⁩ ago
As long as it’s a web app, it’s usually fine and can provide an extra layer of security. The app does need to have some support for sso if you want it to be seamless though, without logging in twice.

Most of my services are internal only, but sometimes I want to give access to someone on the internet without also giving them VPN access. If the app doesn’t support any kind of login, having an Auth proxy in front of it really helps for that use case.

Remembering lots of passwords isn’t a big deal if you have a password manager, but not having to log in to each app separately is nice. It’s also nice to be able to put Auth in front of things that don’t support it natively.

source
redcalcium@lemmy.institute ⁨3⁩ ⁨months⁩ ago
Mostly for convenience and standardizing your security procedure. Most apps popular for self hosting now supports OIDC, so it’s no brainer to setup. On the other hand, most apps don’t support 2fa, or support it in a weird way (e.g. no recovery code). By using keycloak, you can be sure all your apps follow the same login standard you setup.

For those apps that don’t support OIDC, you can simply slap oauth2proxy in front of it and it’s done.

source
atzanteol@sh.itjust.works ⁨3⁩ ⁨months⁩ ago
Making it easier for users to remember passwords leads to them using better passwords and practicing better password hygiene generally.

You can also change your password across multiple systems easily if your password is compromised.

source
Nibodhika@lemmy.world ⁨3⁩ ⁨months⁩ ago
Login is a dangerous and difficult thing to implement, are you sure that all of your services:

Store passwords hashed and salted

Have brute-force prevention

Etc

It’s safer to have one service focused on that and other services can rely on that one to implement it correctly.
source