Pomerium
authelia
Our great sponsors
Pomerium | authelia | |
---|---|---|
26 | 174 | |
3,807 | 19,235 | |
1.2% | 3.3% | |
9.7 | 9.9 | |
6 days ago | 3 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Pomerium
-
Moving from Google workspace to Microsoft 365 and implementing Zero Trust
That is not how you do Zero Trust. You want to use an Identity Aware Proxy. There are lots of ways you can implement this with Google as your core auth. For example Pomerium or oauth2-proxy.
-
Which reverse proxy are you using?
I’m really surprised this sub has no love for Pomerium. I feel like it’s as simple as Caddy with all the security benefits of Traefik.
-
AD/AAD Authentication for Apps running in Kubernetes Cluster
Pomerium sidecar.
-
What is the best way to implement an SSO for several existing web apps?
Just want to drop https://www.pomerium.com/ here. We use it at our company with ~1500 people with many apps behind the proxy. It also supports JWT for the backend, so you can integrate your apps easily without having to worry about the OAuth flow and also your apps are protected from random internet attacks.
-
Tailscale Authentication for Nginx
You might just want to integrate a policy rules engine like open policy agent: https://www.openpolicyagent.org/ It can act as a server which you bounce a subrequest against to get an authorization answer from a policy you defined ahead of time with a simple language.
And if you don't have time or want to do that, check out Pomerium it's basically a forward auth proxy with OPA policy engine integrated into it already: https://www.pomerium.com/
-
I wrote a smarter SSH bastion in Rust
Pomerium
-
Add Password Protection to Any Site with OAuth2 Proxy - Plus Social Logins
If oauth2-proxy doesn't suit your needs, there are some projects that have spun-off from oauth2-proxy like pomerium and BuzzFeed's sso. In addition to the open source library, Pomerium offers a paid service with a GUI to help IT staff more easily manage user permissions. BuzzFeed's sso builds upon oauth2-proxy by separating the domain used for auth from the domain used for the proxy (among several other changes).
-
What VPN/access solution do the big tech companies use?
Here's a list of open source products that aim at doing that: - Pomerium - Ory - Keycloak*
-
Pomerium now supports hardware-backed device identity via WebAuthn
I'm one of the maintainers of an open source identity aware access proxy called Pomerium. We just released v0.16 which includes a bunch of new features, but there's one in particular that has been in the works for months which I'm really excited about and wanted to share. In short, Pomerium now supports incorporating device identity into your access policies.
-
a selfhostable, dockerable service that has some sort of API to automatic insert links: suggestion?
As for authentication, I'd recommend splitting the authentication from the dashboard by putting a reverse proxy in front of the dashboard service. You can then use these credentials for the other services that the dashboard links to. Which one to use is highly dependent or your setup, so I'll just throw some self-hostable authentication proxies out here (haven't used any of them): Authelia, Dex, Pomerium
authelia
-
Keycloak SSO with Docker Compose and Nginx
It's me and two others though I'm definitely the most active. We put a lot of effort into security best practices and one of my co-developers is currently reviewing the 4.38.0 release. It's a fairly major release with a lot of important code paths that have been improved for the future.
Our official docs can be found at https://www.authelia.com and you can find docs for a particular PR in the relevant PR. We've also linked the pre-release docs in the pre-release discussions which can be found here: https://github.com/authelia/authelia/discussions/categories/...
I've been eyeing authentik[1] and authelia[2].
Authelia looks really good to me, but the fact that keycloak has connectors for angular and you need to setup oidc angular plugins with authelia for example made me a little bit wary. But I guess having a config for Keycloak makes it's easier to get started.
> My only concern is that Authelia hasn't had a new release for more than a year, which raises security concerns.
I'm a bit concerned about that too. When setting it up, I found a lot of their docs on github mentioned they have `template` and `expand-env` "configuration filters", then it took me entirely too long to realize that while the 4.38 pre-release notes, posted in January 2023, say it's "just around the corner", it's still being worked on.
Having said that, there still seems to be somewhat active development. It may just be one person at this point.
https://hub.docker.com/layers/authelia/authelia/v4.38.0-beta...
That's not a new release of authelia. Authelia's releases are at https://github.com/authelia/authelia/releases
The updates to the AUR package were not about new releases since 2022:
aur/authelia $ git log ad4e6ca^..HEAD
-
Why would anyone need AD/AAD when you can manage devices through Saltstack?
https://github.com/saltstack/salt https://github.com/chocolatey/choco https://github.com/nextcloud https://github.com/authelia/authelia https://github.com/grafana/grafana
-
HAProxy with Forward Auth to Authentik
If you are using HAProxy on PfSense/OPNSense, see my issue https://github.com/authelia/authelia/issues/2696
-
Keycloak – Open-Source Identity and Access Management Interview
We used keycloak for openid identity provider as well. It is fine to setup keycloak once. But it is painful share the setup with other engineers.
For local development, we end up using dex (https://dexidp.io). When we need support group/role, we use dex and glauth(https://glauth.github.io). Both dex and glauth can be configured with yaml files. We just created a few yaml files and a docker compose file, every engineer can be brought up the whole environment in a few seconds.
Also https://www.authelia.com and https://github.com/goauthentik/authentik look pretty promising, if you need more advanced features from them.
-
LDAP or AD for selfhosted
https://github.com/lldap/lldap is a very simple and lightweight LDAP solution. Works flawless with https://www.authelia.com/
-
Authelia/SSO With Caddy In Docker Compose?
Ah yeah, so I guess it's been a while since I tried and I forgot where I got stuck last time. Authelia's config.yml is absolutely massive and I'm not sure which section of their guide I should be following. In The Docker Compose section, there's "Unbundled", "Lite", and "Local". I think I want to be running the "lite" bundle, but their example compose file has a ton of Traefik stuff in it. I know I wouldn't keep the Traefik services, but do I need either secure or public?
What are some alternatives?
authentik - The authentication glue you need.
Keycloak - Open Source Identity and Access Management For Modern Applications and Services
oauth2 - Go OAuth2
oauth2-proxy - A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.
Nginx Proxy Manager - Docker container for managing Nginx proxy hosts with a simple, powerful interface
dex - OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
Portainer - Making Docker and Kubernetes management easy.
traefik-forward-auth - Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy
uptime-kuma - A fancy self-hosted monitoring tool
vaultwarden - Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
zitadel - Cloud-native Identity & Access Management solution providing a platform for secure authentication, authorization and identity management.