viq3d ago
LMAO, I just sat down to add a new application to my #Authentik #SSO... And bounced right off of all the options. Indeed time to move, I guess #KaniDM looks nice.
Yeah, moving from the baroque/enterprise clickable authentik/keycloak to "it's mostly CLI and purposefully few options" can cause some whiplash 😅
Show threadTyr

@viq what do you mean by

And bounced right off of all the options.

?

I'm interested in simple identity management/SSO for my self-hosted server so very curious about the limitations of each option.

Jun 22 at 5:50pmWeb
Show threadviq3d ago
@tyrthecat if you're looking for simple, Keycloak and Authentik are not what you want.
They're *very* capable. They can do *a lot* for you, with *a lot* of things. And you get to configure each and every one of them. Once you figure out what those tens of options for each of the scores of capabilities are, what they mean, and how they interact with each other.
Show threadviq3d ago
@tyrthecat so it's not that they have limitations (sure, they do), it's about the amount of documentation and clicks you need to go through before you can set up your first integration.
And then go through all of it again half a year later when you're setting up your second integration, because you've forgotten most of stuff from the first time.
Show threadviq3d ago
@tyrthecat what are you looking for? There's a bunch of nice projects, but "best" will be different whether you expect text or UI configuration; WebAuthn centric approach, or also passwords; forward-auth, or only OIDC.
Show threadTyr3d ago

@viq thanks for the info.

Really all I want is something to put in front of my home server for myself and my husband (nextcloud, a password manager, wallabag, jellyfin) and a virtual table top (FoudryVTT) for my TTRPG group (about 6 people).

Right now I'm using OAuth2Proxy backed by Google accounts, which works ok but is very not flexible:

  • I had to create a Google App and I added people as test accounts (because I'm not going through reviews just to Auth 6 people).
  • Adding people means changes in the Google console + config files.
  • They have to have a Google account they can give me.
  • I had to code my own set of rules so the HTTP proxy allows users only for the apps I want them to use (oauth2proxy is yes or now kind of deal).
  • And after all that every app has its own users on top.

I really like the authentication at the proxy level personally because I can block all traffic to (some) apps if you are not authenticated but the rest feels incomplete and inconsistent.

And I would like something that allows MFA with TOTP/Yubikey for some people/apps.

Show threadviq3d ago
@tyrthecat if you already are familiar and comfortable with oauth2-proxy, then I guess next question is do you want to be WebAuthn/passkey only, in which case PocketID; if not, if you want prettier interface then Authelia, if managing via CLI then KaniDM.
Also, check out caddy, I believe it can be made to have in one place both web server, and via OIDC integration replace the oauth2-proxy.
Show threadviq3d ago
@tyrthecat one advantage the behemoths from initial post have that others don't - you can set up trust with other identity providers, so people could log into your services using their google account, or discord, or something else. Depending on your settings, *can*, but don't have to.
But it doesn't sound like the complexity of those solutions is worth it for what you want.
Show threadTyr3d ago

@viq thank you, this is very helpful information.

I expect I'll want to play with the larger systems at some point but I'd like to find something smaller for the foreseeable future.

Show threadviq3d ago
@tyrthecat it may or may not make things more manageable for the large ones: there are terraform modules for managing their configuration
Show threadviq3d ago
@tyrthecat also, if it makes a difference to you: Authentik has LLM code in it. I'm pretty certain KaniDM does not. I cannot comment at this point about others.
Show threadviq3d ago
@tyrthecat I only know this exists, and nothing about it, but is also in that space: https://tinyauth.app/
Whereas I have opinions and in some cases Opinionsâ„¢ about the others.
Home

The simplest way to protect your apps with a login screen.

Tinyauth