Authelia on Proxmox - 2FA SSO with Nextcloud, Proxmox, Portainer Gitea OpenID Connect Single Sign On
Vložit
- čas přidán 2. 06. 2024
- How to Self-host Authelia in a Proxmox Container and use it as an OpenID Connect (OIDC) Identity Provider for 2FA Single sign On (SSO) with Nextcloud, Proxmox, Portainer or Gitea
#nextcloud #proxmox #sso #portainer #gitea #authelia #openid #oidc #selfhosted
The Github Repo is here: github.com/onemarcfifty/authe...
The blog article: www.onemarcfifty.com/blog/Aut...
0:00 Intro: SSO
01.38 How does that work?
03:36 Why Authelia?
04:33 Setup Steps (Overview)
05:30 Rudimentary Install
06:37 Adapt the Config
10:44 Register 2FA
11:44 Hide behind NGINX
12:34 add OpenIDC
14:22 OIDC: NextCloud
17:21 OIDC: Proxmox
19:44 OIDC: Portainer
21:56 OIDC: Gitea
23:33 What if OpenID is not supported?
25:39 Last Thoughts
26:39 Source Disclosure
CZcams: / onemarcfifty
Twitter: / onemarcfifty
Discord: / discord
Github: github.com/onemarcfifty
Patreon: / onemarcfifty
Blog: www.onemarcfifty.com - Věda a technologie
Correction: In the video I say that the container needs to be privileged. That’s not true. I am running it in an unprivileged container with no issues. Let me know your findings.
This guy has such a nice personality it’s so great when he makes a new video. Also the subject matter is interesting too.
Oh, that's so kind of you - thank you very much!
In my quest to learn more about Authelia I have watched a multitude of YT videos. This presentation is by far one of the better ones. However, it is still a little advanced for me. Thank you for sharing your time and expertise with us. Much appreciated.
Content like this is what we are all carving for 😅
Brilliant video, thank you very much for your efforts
Glad you enjoy it! Thank you
Thank you very much for your video, Marc! Super clear info!
This was such a professional class video
Wow, this is awesome, thanks for sharing and combining all info available.
Many thanks Edward!
非常精彩!As one not familiar with Web, this video taught me a lot! I will pay more time on OAuth and HTTP header usage. Thank you, Mr. Marc.
You just saved my day (or week, or month). Amazing, super clear. Added 2FA to NextCloud, Proxmox, Proxmox Backup Server and all my portainers. Super!
Amazing video Marc! thank you so much for sharing such great content like this.
Glad you enjoyed it! Thank you!
Subscribed... such a pleasant presenter!
Thank you Marc!
Hi Łukasz, my pleasure ;-)
Awesome one Marc! Just enabled OIDC login into Kubernetes clusters provisioned by our KaaS platform. We use Keycloak, but Authelia is great, too! I just love the protocol, SSO all the things!
Many thanks - and - I totally agree ;-) When I started with my first authentication project, I used a simple TOTP plugin to ask for a second factor before crossing VLAN boundaries. I had evaluated Authelia but it didn't do OIDC at the time. It did take me some time however to get to grips with everything. Many thanks for sharing!
@@OneMarcFifty yeah OIDC isn't easy to get started with... But once you understand those JWT tokens, by decoding them and seeing all those claims neatly put in a json array, it really started to make sense for me.
Very nice and through, thank you very much!!
Hi Diogo, you are welcome - I am glad you liked it ;-)
awesome thanks
What a great information video, thank you! Would you ever consider creating a video regarding logging information in OpenWRT? Or, perhaps a video breaking-down DNSMASQ in OpenWRT? Thank you again.
Great suggestion! You mean a syslog server, right?
@@OneMarcFifty yes a syslog server. Thanks for all of your content
@@alexs5588 Logs & FOSS ... and how far the smokey gun ended ?
Winreg2
Good Video, helped a lot still have one question. I have xen orchestra that supports oidc and works as relying party, how do i configure this? any expert here
Thanks for the video. Can i ask you a question. Did you consider authentik and so yes why did you prefer authelia?
Not yet. I used authelia because I had examined it in the past and wanted to try the OpenID integration. I will have a look at authentik at some point in time though, especially w/r to the broader protocol support (SAML etc.). Are you using authentik?
@@OneMarcFifty yes, just recently switched from authelia to authentik because broader protocol support i wanted it mainly for jellyfin and calibre web because it supported ldap in combination with openid. And it supports user sign up and users can easily manage there own accounts, 2fa devices and oauth connections to other providers like plex or google.
If I already have an nginx reverse proxy in my network, do I want to use that one instead or stick to the nginx server in the container?
Using Mobaexterm is easier to do the config of yaml file, because you will have SFTP at the same time ssh ... in other word, it's a life saver!
What a bout stolen browser sessions similar to what took down Linus Tech Tips CZcams channel? Once elevated session cookies were stolen by a trojan, YT doesn’t have a “invalidate all active sessions” to deauthorize the auth credentials.
Great question! I have been thinking about making a video on that issue for a while now. Essentially for good security you need to take the 3 P's into consideration: Products, Processes and People. I would ad a 4th one here: Providers. Certainly people need to be educated (close your browser sessions before doing e-Mail, delete your cookies etc.), Products need to answer the requirements (Avoid cross-app storage access, e.g. AppArmor or SELinux are answers for that). But the Providers need to do their homework as well. Like Linus said in his video - if someone wants to delete 100 or 1000 videos, asking for an OK would be acceptable ;-) Or if a session jumps from Germany to the US or anywhere else, then re-requesting auth should be OK. 2FA or SSO alone will NOT save you - also taking into consideration that you can reset a password or 2nd Factor over e-Mail - whoever controls your e-mail account can register freely. Sorry - long answer - but you are so spot on with your comment. There is a lot of misunderstanding in the 2FA area ;-) Many thanks for your question !
Could you do the same for jellyfin? Especially so that we don't have to login twice.
Awesome, loved this. Neil@Portainer.
Hi Neil, many thanks!