🚀 Feature: OAuth support for OIDC providers (Keycloak, and more) #4299
Comments
|
Might interest you: #3180 |
|
@lost-RD thanks, interesting (although I don't understand why claims that authentik is "the only self-hosted OAuth provider" 🤔). However this approach will never end: adding more and more auth providers, while (ideally) OpenID Connect is a standard with a standard way to expose its configuration. Supporting one OIDC provider means supporting every product that is following the standard. I'm going to test if this authentik can also be used with Keycloak (by mistake 😄) |
|
@keul agreed, no need to support everything when an abstracted solution supports all. I suspect most of the work is done in that feature, fingers crossed |
stnguyen90
added
the
product / auth
|
Did a quick test. Nothing unexpected, but authentik can't help in this OOTB. It's making some assumptions on URLs format (so: not inspecting the service in a standard way). But it can be a good starting point probably 🤞. |
|
I tried to do but failed. Most probably missing some point. But can we integrate authentik with keycloak???? I will try to do this stupid thing ahahah |
|
As I think that a generic OIDC provider will take his time. I would volunteer for the moment to create an Keycloak provider. For sake of clearity i will create a new Issue. |
|
One challenge I thought about was how to handle these:
However, after looking at Okta, Auth0, Identity Server, Authentik, and Keycloak, it seems like the keys for these are most likely the same:
Maybe we can expose these keys as options but default to these values. |
They are defined per specification of oidc. So no option is needed |
@Mabenan, ah you're right! They are standard claims. And as you mentioned in #4660 (comment), the biggest challenge is probably:
|
Ah! This is a nice catch. But isn't this the same for other providers too? For example: can I enable two different authentik? |
No you cant but it is not as bad as if you have a generic provider |
|
+1 Would be great to see if support Authelia down the line too! |
🔖 Feature description
Currently appwrite offers a big set of well known OAuth providers to integrate with, but they are all 3rd party services by big companies.
I see from the discussion New User Login Methods that in future connections to "OpenID" will be taken into account but it's not clear if this means OpenID connect support or not.
I think that supporting a standard OpenID Connect protocol can greatly improve the use of appwrite!
🎤 Pitch
I have this use case: a customer is already managing authentication using Keycloak which is a standard OIDC provider.
This Keycloak is only one example, there are other OIDC software. In general: supporting a company internal SSO installation can make very big difference in appwrite introduction.
👀 Have you spent some time to check if this issue has been raised before?
🏢 Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: