Pomerium
OpenID
Our great sponsors
Pomerium | OpenID | |
---|---|---|
26 | 10 | |
3,807 | 945 | |
1.2% | 2.1% | |
9.7 | 9.3 | |
7 days ago | 6 days ago | |
Go | C | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Pomerium
-
Moving from Google workspace to Microsoft 365 and implementing Zero Trust
That is not how you do Zero Trust. You want to use an Identity Aware Proxy. There are lots of ways you can implement this with Google as your core auth. For example Pomerium or oauth2-proxy.
-
Which reverse proxy are you using?
I’m really surprised this sub has no love for Pomerium. I feel like it’s as simple as Caddy with all the security benefits of Traefik.
-
AD/AAD Authentication for Apps running in Kubernetes Cluster
Pomerium sidecar.
-
What is the best way to implement an SSO for several existing web apps?
Just want to drop https://www.pomerium.com/ here. We use it at our company with ~1500 people with many apps behind the proxy. It also supports JWT for the backend, so you can integrate your apps easily without having to worry about the OAuth flow and also your apps are protected from random internet attacks.
-
Tailscale Authentication for Nginx
You might just want to integrate a policy rules engine like open policy agent: https://www.openpolicyagent.org/ It can act as a server which you bounce a subrequest against to get an authorization answer from a policy you defined ahead of time with a simple language.
And if you don't have time or want to do that, check out Pomerium it's basically a forward auth proxy with OPA policy engine integrated into it already: https://www.pomerium.com/
-
I wrote a smarter SSH bastion in Rust
Pomerium
-
Add Password Protection to Any Site with OAuth2 Proxy - Plus Social Logins
If oauth2-proxy doesn't suit your needs, there are some projects that have spun-off from oauth2-proxy like pomerium and BuzzFeed's sso. In addition to the open source library, Pomerium offers a paid service with a GUI to help IT staff more easily manage user permissions. BuzzFeed's sso builds upon oauth2-proxy by separating the domain used for auth from the domain used for the proxy (among several other changes).
-
What VPN/access solution do the big tech companies use?
Here's a list of open source products that aim at doing that: - Pomerium - Ory - Keycloak*
-
Pomerium now supports hardware-backed device identity via WebAuthn
I'm one of the maintainers of an open source identity aware access proxy called Pomerium. We just released v0.16 which includes a bunch of new features, but there's one in particular that has been in the works for months which I'm really excited about and wanted to share. In short, Pomerium now supports incorporating device identity into your access policies.
-
a selfhostable, dockerable service that has some sort of API to automatic insert links: suggestion?
As for authentication, I'd recommend splitting the authentication from the dashboard by putting a reverse proxy in front of the dashboard service. You can then use these credentials for the other services that the dashboard links to. Which one to use is highly dependent or your setup, so I'll just throw some self-hostable authentication proxies out here (haven't used any of them): Authelia, Dex, Pomerium
OpenID
-
Keycloak SSO with Docker Compose and Nginx
I did something similar, though picked Apache with mod_auth_openidc, which is a certified Relying Party implementation: https://github.com/OpenIDC/mod_auth_openidc
In other words, I can protect arbitrary applications through my reverse proxy and require either certain claims/roles, or simplify auth to the point where my downstream app/API will just receive a bunch of headers like OIDC_CLAIM_sub, OIDC_CLAIM_name, OIDC_CLAIM_email through the internal network, not making me bother with configuring OIDC libraries for all of my APIs and configure them in each stack that I might use, but rather contain all of that complexity in the web server.
Basically:
user <==> Apache (with mod_auth_openidc) <==> API (with OIDC_ headers, if logged in)
-
What Is OIDC?
> Don't outsource either your authentication or authorization. Run it in-house.
This is hard to do, though. I hope people here will drop a lot of combinations that work for them!
Personally, for a small/medium scale project, I went with:
Keycloak: https://www.keycloak.org/
It supports various backing RDBMSes (like PostgreSQL, MariaDB/MySQL and others), allows both users that you persist in your own DB, as well as various external sources, like social login across various platforms, is an absolute pain to configure and sometimes acts in stupid ways behind a reverse proxy, but has most of the features that you might ever want, which sadly comes coupled with some complexity and an enterprise feeling.
I quite like that it offers the login/registration views that you need with redirects, as well as user management, storing roles/permissions and other custom attributes. It's on par with what you'd expect and should serve you nicely.
mod_auth_openidc: https://github.com/OpenIDC/mod_auth_openidc
This one's a certified OpenID Connect Relying Party implementation for... Apache2/httpd.
Some might worry about the performance and there are other options out there (like a module for OpenResty, which is built on top of Nginx), but when coupled with mod_md Apache makes for a great reverse proxy/ingress for my personal needs.
The benefit here is that I don't need 10 different implementations for each service/back end language that's used, I can outsource the heavy lifting to mod_auth_openidc (protected paths, needed roles/permissions, redirect URLs, token renewal and other things) and just read a few trusted headers behind the reverse proxy if further checks are needed, which is easy in all technologies.
That said, the configuration there is also hard and annoying to do, as is working with OpenID Connect in general, even though you can kind of understand why that complexity is inherent. Here's a link with some certified implementations, by the way: https://openid.net/developers/certified-openid-connect-imple...
-
Easy to use OpenID Connect client and server library written for Go
otherwise connections would randomly drop. I was looking for other ways to make development a bit easier and also settled on mod_auth_openidc, which is an Apache module that lets it act like a Relying Party and handle lots of the heavy lifting (protecting endpoints, refreshing tokens etc.) for me, and lets me work with just a few headers that are passed to the protected resources: https://github.com/OpenIDC/mod_auth_openidc
It works, but I'm still not happy - I realize that there are many types of attacks that have historically been a problem and that certain OpenID Connect flows try to protect against, in addition to the fact that if I wrote my own security code it'd almost certainly be worse and have vulnerabilities (in the words of Eoin Woods: "Never invent security technology"), and it's a good thing to follow standards... but the whole thing is such a pain. Both OpenID Connect, Keycloak and configuring mod_auth_openidc.
Right now I'm moving permissions/roles from Keycloak back into the app DB, with references to the Keycloak user IDs, because I don't want to have to work with the Keycloak REST API every time I want to change what a user can or cannot do in the system, in addition to permissions which might only apply conditionally (one user might be related to multiple organizations, having different permissions in the context of each).
Regardless, it's nice that there are more pieces of software out there to choose from!
-
Show HN: Obligator – An OpenID Connect server for self-hosters
Personally I went with Keycloak, because it's fairly well documented and also has Docker images available: https://www.keycloak.org/getting-started/getting-started-doc... although the fact that they want you to create an "optimized" image yourself and have a long build/setup process on startup instead is slightly annoying: https://www.keycloak.org/server/containers
Regardless, with something like mod_auth_openidc or another Relying Party implementation, all of the sudden authn/authz becomes easier to manage (you can literally get user information including roles in headers that are passed from your gateway/relying party to apps behind the reverse proxy), regardless of what you have actually running in your APIs: https://github.com/OpenIDC/mod_auth_openidc (there are other options, of course, but I went with that because I already use mod_md).
It's actually cool that there are plentiful options in the space, since OIDC is pretty complex in of itself and attempts at creating something pleasant to actually use are always welcome, I've also heard good things about Authentik: https://goauthentik.io/
-
Password protect a static HTML page
> The user experience with basic auth is not so good.
Apache actually also has an OpenID Connect module, which you can enable to have it work as a relying party: https://github.com/zmartzone/mod_auth_openidc
Basically, the actual UI will be handled by another system that you might be using, for example, in my case that might be a self-hosted Keycloak instance: https://www.keycloak.org/
I'd say that Keycloak is a pretty good solution in general, because it does some of the heavy lifting for you, maybe its shorter release cycle not being the best thing ever, though. I think IdentityServer also tried to fill this niche, but they went full on commercial recently, without OSS offerings.
-
SSO - For Plex, Emby and AudioBookShelf etc... How are you exposing these for remote access?
E.g. for Apache httpd there's mod_auth_openidc available.
-
Keycloak: Open-Source Identity and Access Management
I really like https://tools.ietf.org/html/draft-ietf-oauth-security-topics with it's evergreen approach and looking forward to oauth2.1 to sum up the current best practices.
Depending on your use case I have good experience with https://github.com/zmartzone/mod_auth_openidc and https://github.com/panva/node-oidc-provider.
https://github.com/OpenIDC/pyoidc also might be a good choice as security researchers in that area did take a look in it...
-
How to Use OAuth to Add Authentication to Your React App
I leave that the the module, I believe it uses client cookies by default, but I use a persistent server cache on disk (the session tokens are stored encrypted)
https://github.com/zmartzone/mod_auth_openidc/wiki/Session-m...
What are some alternatives?
oauth2-proxy - A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.
Nginx Proxy Manager - Docker container for managing Nginx proxy hosts with a simple, powerful interface
Gravitational Teleport - Protect access to all of your infrastructure
authelia - The Single Sign-On Multi-Factor portal for web apps
Keycloak - Open Source Identity and Access Management For Modern Applications and Services
FreeIPA - Mirror of FreeIPA, an integrated security information management solution
traefik - The Cloud Native Application Proxy
Samba - https://gitlab.com/samba-team/samba is the Official GitLab mirror of https://git.samba.org/samba.git -- Merge requests should be made on GitLab (not on GitHub)
vouch-proxy - an SSO and OAuth / OIDC login solution for Nginx using the auth_request module
rdpgw - Remote Desktop Gateway in Go for deploying on Linux/BSD/Kubernetes
LDAP Account Manager (LAM) - LDAP Account Manager