Setup an SSO service for admin interfaces #375
Comments
|
My first pick would be kanidm. Our packaging in nixpkgs is great, and we have a great relationship with the upstream. |
|
Sounds even better then! |
|
kanidm + oauth2_proxy sounds like the right pairing for the described use case.
|
|
The alternative would be a simpler setup that binds to GitHub accounts, like https://dexidp.io/docs/connectors/github/, in which case we would use GitHub as an identity provider. |
|
keycloak would be another really good tool for this, I've used it in the past and it felt very seamless |
|
Keycloak is the fat industry standard. I'm aware of it, but I'm not sure I want it. |
|
yeah, thats fair :) |
|
For the record, I believe @Erethon is working on something adjacent to this for the Grist trial. |
Indeed, it's adjacent. One of the requirements for Grist is to have an OIDC provider, as such I'm looking into Dex which was already mentioned in this thread. If Dex sounds like a solution we would like to pursue (regardless of Grist), I can open a draft PR to test it out. |
|
For alertmanager we just went with oauth2proxy against the GitHub infra3 team. |
Some of our admin interfaces are currently stuck on Wireguard because they don't support (or badly support) HTTP authentication / authorization. Most notably right now: Alertmanager.
We should setup some kind of auth proxy - my first pick would be Authentik, but no strong preference. Then we can move some of the services behind it, and possibly also replace some stuff that currently have their own user accounts (Grafana? maybe even Hydra?).
The text was updated successfully, but these errors were encountered: