What’s everyones recommendations for a self-hosted authentication system?

My requirements are basically something lightweight that can handle logins for both regular users and google. I only have 4-5 total users.

So far, I’ve looked at and tested:

  • Authentik - Seems okay, but also really slow for some reason. I’m also not a fan of the username on one page, password on the next screen flow
  • Keycloak - Looks like it might be lighter in resources these days, but definitely complicated to use
  • LLDAP - I’d be happy to use it for the ldap backend, but it doesn’t solve the whole problem
  • Authelia - No web ui, which is fine, but also doesn’t support social logins as far as I can tell. I think it would be my choice if it did support oidc
  • Zitadel - Sounds promising, but I spent a couple hours troubleshooting it just to get it working. I might go back to it, but I’ve had the most trouble with it so far and can’t even compare the actual config yet
  • g5pw@feddit.it
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 months ago

    Yes, it should cover all the use cases you mention!

    I use oauth2-proxy as ForwardAuth on Traefik so I can protect apps that do not support OAuth/OIDC login/

    • timbuck2themoon@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      Awesome. Thank you.

      Now to see how i make this work in k8s since they evidently mandate the cert inside instead of just allowing the ingress to have it.

      • g5pw@feddit.it
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Yeah, sounds like a security feature… I was able to configure Traefik to connect with TLS, verifying the peer certificate.

        • timbuck2themoon@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          I could do this but sadly even just the trial did not work. I’m using podman but it gives me “invalid state” just trying to login with a user per the quickstart, etc. Can’t reset the password cleanly, can’t add a passkey via bitwarden, etc.

          Unsure if I’m doing something wrong or if it’s very alpha/beta.

            • timbuck2themoon@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              9 months ago
              0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "displayname" Equality was not found. YOU MUST REINDEX YOUR DATABASE
              0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "name_history" Equality was not found. YOU MUST REINDEX YOUR DATABASE
              0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "jws_es256_private_key" Equality was not found. YOU MUST REINDEX YOUR DATABASE
              

              I had to drop it for a few days. I got that at some point though. It’s all brand new so I wouldn’t know why. Seems a bit rough around the edges so far. I’ll try to reindex and attempt again. I really want this to be the product I use since it’s a nice AIO solution but we’ll see.

              Edit:

              [~]$ podman run --rm -i -t -v kanidm:/data \
                  kanidm/server:latest /sbin/kanidmd reindex -c /data/server.toml
              error: unrecognized subcommand 'reindex'
              

              Phew boy. Straight from the docs. Same with the vacuum command.

              Looks like the docs need updated to specify the command is kanidm database reindex -c /data/server.toml

              And further upon trying to login…

              300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO     handle_request [ 188µs | 0.00% / 100.00% ]
              300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO     ┕━ request [ 188µs | 72.94% / 100.00% ] method: GET | uri: /v1/auth/valid | version: HTTP/1.1
              300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO        ┝━ handle_auth_valid [ 50.8µs | 25.54% / 27.06% ]
              300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO          ┝━ validate_client_auth_info_to_ident [ 2.85µs | 1.51% ]
              300e55b7-e30a-42a5-ac3e-ec0e69285605 WARN            ┕━ 🚧 [warn]: No client certificate or bearer tokens were supplied
              300e55b7-e30a-42a5-ac3e-ec0e69285605 ERROR         ┕━ 🚨 [error]: Invalid identity: NotAuthenticated | event_tag_id: 1
              300e55b7-e30a-42a5-ac3e-ec0e69285605 WARN        ┕━ 🚧 [warn]:  | latency: 204.504µs | status_code: 401 | kopid: "300e55b7-e30a-42a5-ac3e-ec0e69285605" | msg: "client error"
              

              I think I’m gonna have to just nuke it and start fresh but yeah, this is not a great first impression at all.

              • g5pw@feddit.it
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                I mean, it is a bit rough, they’re not at 1.0 yet, also: are you looking at the stable or latest docs? That may be the reason the commands do not match with the docs.

                • timbuck2themoon@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  9 months ago

                  I will have to check. Still willing to try again. I’ll update if i get it going better on round 2.

                  Thanks for the hint about the docs. I hadn’t thought of that.