I've been looking around for a Reddit-like option for a self-hosted application. Lemmy looks like a great opportunity for what I need, especially with the RSS feeds.
That said, I need to be able to authenticate to an external resource so I can use the reverse proxy sitting in front of Lemmy to completely restrict access to the site until a user has authenticated with our SSO platform (could be JWT, OpenID, SAML, Basic Auth, whatev).
I think there's a couple of ways to implement this, but I'm not (yet) a Rust developer or I'd hack it in and do a PR.
The simplest would be to allow a trusted header that would be set by the reverse proxy with the authenticated user ID (probably email address, but maybe username). The login process of lemmy would check if this header is set, and if so authenticate and set the jwt cookie appropriately.
The reverse proxy could use middleware to authenticate the user and set a jwt token as an authorization header or maybe in the jwt cookie. Lemmy could check these two locations for a valid jwt token and authenticate the session, populating the rest of the cookie. This of course would mean that the jwt secret would be shared between the middleware and lemmy, allowing the signatures to validate.
Thanks for the consideration!
I'm sure some other people could chime in, because I don't know how the middle layer would function. But the easiest way would be to use the http API, and create a user with the correct user / pass, and it'll give you the auth / jwt token, which you can then pass to the user.
You might even be able to do the blocking with nginx, but I'm not too knowledgeable on how it would work. Lemmy itself uses no headers, just a single jwt / auth string, and all authenticated requests require the auth token which the front end pulls from your cookies.
Using SAML/OAuth/OpenID as an authentication mechanism and then issuing a token from Lemmy's side would be great too. This is how most apps I've deployed work. Alternatively, (a) requiring email confirmation and (b) requiring emails to be [email protected] would work for a lot of orgs.
I don't have time for this one in the near future, but if anyone wants to have a go at it, go right ahead.
Oauth2 / OpenID Connect is the way to go and would allow Lemmy to link to account providers like Gitea or Nextcloud easily.
There are some nice rust client libraries for it too.
@dessalines would you still be open to contributions regarding OAuth?
Of course, I just personally don't have time to do them.
Most helpful comment
Oauth2 / OpenID Connect is the way to go and would allow Lemmy to link to account providers like Gitea or Nextcloud easily.
There are some nice rust client libraries for it too.