Example deployments for authelia and authentik

[fmoc]

The desktop client recently received a couple of bug reports regarding two new(?) IdPs called authelia and authentik. These appear to be easier to set up than Keycloak.

I think the server should add example deployments for both of them like it is done with Keycloak to:

a) allow for easier debugging against either of these
b) make it easier for users to deploy their oCIS instances correctly against either of these

CC @michaelstingl, @TheOneRing

[C8opmBM]

Some additional info regarding the desktop client setup with Authelia. I tested web, desktop and android clients, they all work.

For the desktop client, when authenticating in the browser, ownCloud’s desktop client sends a prompt parameter that Authelia doesn’t yet know how to handle (it’s planned for OIDC beta 7). To work around this temporary limitation, we remove the offending parameter with a uri replace

With Caddy v2

auth.domain.net {
	uri /api/oidc/authorization replace &prompt=select_account%20consent ""
	reverse_proxy authelia:9091
}

With NGINX/SWAG

server {
 [...]
   server_name auth.*;
 [...]
    location / {
        if ($args ~* (.*)(&prompt=select_account%20consent)(.*)) {
           set $args $1$3;
           rewrite ^(.*)$ $1;
        }
 [...]
        set $upstream_app authelia;
        set $upstream_port 9091;
 [...]
    }
}

Found the workaround on this blog:
https://helgeklein.com/blog/owncloud-infinite-scale-with-openid-connect-authentication-for-home-networks/

Also for Authelia, don't forget to increase the refresh_token_lifespan

  oidc:
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 3M

[mmattel]

Closed via: owncloud/docs-ocis#428

[michaelstingl]

Closed via: owncloud/docs-ocis#428

Request wasn't about the docs. Needs new deployments for https://owncloud.dev/ocis/deployment/continuous_deployment/

[mmattel]

the refereced docs cover deployments?
what else is needed?

[michaelstingl]

I need permanent continuous deployed systems to play with, linked from https://owncloud.dev/ocis/deployment/continuous_deployment/ , in addition to the Keycloak examples.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

[micbar]

@fmoc I must be honest with you. Despite your good efforts, we cannot add this example currently. We already have more examples than we can maintain 😞

@dragotin Please clarify what we can do in regards of resources.

[fmoc]

Maybe I'll contribute instructions over at Authentik. They have a collection of guides on apps they support.

[disconn3ct]

Unfortunately it isn't compatible with Authentik since the IDM was separated. The Authentik ldap outposts are read-only.

[micbar]

@disconn3ct you can use autoprovisioning.

[disconn3ct]

The chart disables both idm and idp if oidc is enabled. It also directly says that external LDAP is required and autoprovision requires writable ldap.

Should I open a chart bug instead?

[micbar]

Ah ok, I missed the context of the helm chart.

I think the ocis chart has currently not all possible deployment scenarios covered.

[disconn3ct]

I don't think I can over-emphasize just how very very strongly the chart says that this is not a possible deployment. This isn't missing a scenario, this is a strongly voiced decision and it is driving away new users. If it is a wrong or outdated decision, I'm happy to open a bug on the other repo if that is needed to get it fixed.

Colloquially, I'm pretty driven to get this installed but not enough to try building a 40-odd-deployment chart myself when the upstream doesn't agree on how the services are bound together.

[micbar]

@disconn3ct maybe I am missing a point here.

1. What is the problem you are trying to solve
2. How is this linked to the ocis charts

[disconn3ct]

The problem: I want to install OCIS with authentik. (More generally, I want to install with only an external OIDC and optionally a read-only LDAP.) According to the docs, OCIS is not compatible with Authentik on K8S because OIDC requires an external writable LDAP.

It isn't a gap in the examples. It is explicitly written into the chart and the accompanying documentation.

If this bug is the wrong spot, I'm happy to move this somewhere else.

[micbar]

According to the docs, OCIS is not compatible with Authentik on K8S because OIDC requires an external writable LDAP.

Why is a writable LDAP a blocker for Authentik?

[disconn3ct]

Authentik outposts are read only. So we're back to using an external ldap server.

[micbar]

Authentik outposts are read only. So we're back to using an external ldap server.

Ok. I have no knowledge about Authentik, but that means, Authentik cannot create or modify users when they are originating from LDAP?

[disconn3ct]

Originating from LDAP? LDAP is not the source of truth. Authentik is. (And it can subscribe to upstream directories, but that is obviously unrelated.) Am I misunderstanding your question?

[micbar]

I thought that would be possible. Keycloak can use LDAP as a user source and can write to it.

But back to your setup:

What about using Authentik with ocis and OpenLdap (only connected to ocis) and autoprovisioning?

[disconn3ct]

It doesn't fit the problem:

I want to install OCIS with authentik. (More generally, I want to install with only an external OIDC and optionally a read-only LDAP.)

I guess I could edit it to "OCIS with only Authentik" but I thought that was assumed.

Saying it works with OpenID and then hiding an openldap requirement in the values file seems designed to disappoint new users. Even in this bug you can't decide if it is required or just suggested.

[micbar]

Maybe you do not understand the issue, from my pov there is none.

Explanation: ocis always needs an LDAP because it has no database. In the default config, ocis brings an internal LDAP which is fine for testing and small scenarios. It has not the full LDAP feature set. Therefore we recommend to replace that in every production deployment to get all advantages and stability and performance of a real LDAP server. Unfortunately, we cannot compile OpenLDAP into the ocis binary. But to make that clear, this issue has nothing to do with authentik. It applies to all ocis instances, regardless which OIDC provider is used.

[disconn3ct]

always needs an LDAP

👍

fine for testing and small scenarios

Elsewhere defined as "below ~100 accounts". Conveniently, my test installation is only 5 users.

we recommend to replace

That word means optional, but the chart makes it an explicit requirement. As a whole, the project doesn't seem to agree whether an external LDAP is required or not. (From a technical perspective, after some hack and slash on the chart I was able to separate external OIDC from external LDAP and it seems to be fine.)

[micbar]

That word means optional, but the chart makes it an explicit requirement. As a whole, the project doesn't seem to agree whether an external LDAP is required or not. (From a technical perspective, after some hack and slash on the chart I was able to separate external OIDC from external LDAP and it seems to be fine.)

The chart is not maintained by the same people, that explains it maybe 🤣

[disconn3ct]

The chart is not maintained by the same people, that explains it maybe 🤣

If this bug is the wrong spot, I'm happy to move this somewhere else.

[wkloucek]

we recommend to replace

The oCIS chart aims at highly available installations only.
This cannot and will never be achieved with the oCIS IDM and IDP service.

With Authentik and the ready-only LDAP outpost, you don't need the autoprovisioning to be enabled, since the IDP and LDAP already have the same users. (Autoprovisioning is only needed if users are not yet in LDAP and oCIS should create them based on information gathered via OIDC).

[disconn3ct]

The oCIS chart aims at highly available installations only.
This cannot and will never be achieved with the oCIS IDM and IDP service.

Then why does it ship them at all?

Autoprovisioning is only needed if users are not yet in LDAP

🎉 That is the info I was missing. Thank you!

[wkloucek]

Then why does it ship them at all?

To quickly spin it up a simple development installation. Plus it allows you quick testing without integrating into your LDAP and IDP setup.

It follows the same "batteries included" principle as the oCIS single process approach (ocis server), but unfortunately those batteries don't last that long in the Kubernetes world because even basic high availability (minimum two pods across a failure domain) is not possible with the oCIS IDM and IDP (deliberate design decision, because there are plenty of those systems out there!).

[wkloucek]

That is the info I was missing. Thank you!

Are you open to contribute a Helmfile of a oCIS with Authentik setup? (similar to these https://github.com/owncloud/ocis-charts/tree/main/deployments)

Having a similar setup like you have, would allow us to provide better help and test for regressions / adaptions needed.