What’s everyones recommendations for a self-hosted authentication system?

My requirements are basically something lightweight that can handle logins for both regular users and google. I only have 4-5 total users.

So far, I’ve looked at and tested:

  • Authentik - Seems okay, but also really slow for some reason. I’m also not a fan of the username on one page, password on the next screen flow
  • Keycloak - Looks like it might be lighter in resources these days, but definitely complicated to use
  • LLDAP - I’d be happy to use it for the ldap backend, but it doesn’t solve the whole problem
  • Authelia - No web ui, which is fine, but also doesn’t support social logins as far as I can tell. I think it would be my choice if it did support oidc
  • Zitadel - Sounds promising, but I spent a couple hours troubleshooting it just to get it working. I might go back to it, but I’ve had the most trouble with it so far and can’t even compare the actual config yet
  • @[email protected]
    link
    fedilink
    English
    28 months ago

    Awesome. Thank you.

    Now to see how i make this work in k8s since they evidently mandate the cert inside instead of just allowing the ingress to have it.

    • @[email protected]
      link
      fedilink
      English
      18 months ago

      Yeah, sounds like a security feature… I was able to configure Traefik to connect with TLS, verifying the peer certificate.

      • @[email protected]
        link
        fedilink
        English
        18 months ago

        I could do this but sadly even just the trial did not work. I’m using podman but it gives me “invalid state” just trying to login with a user per the quickstart, etc. Can’t reset the password cleanly, can’t add a passkey via bitwarden, etc.

        Unsure if I’m doing something wrong or if it’s very alpha/beta.

          • @[email protected]
            link
            fedilink
            English
            1
            edit-2
            8 months ago
            0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "displayname" Equality was not found. YOU MUST REINDEX YOUR DATABASE
            0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "name_history" Equality was not found. YOU MUST REINDEX YOUR DATABASE
            0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "jws_es256_private_key" Equality was not found. YOU MUST REINDEX YOUR DATABASE
            

            I had to drop it for a few days. I got that at some point though. It’s all brand new so I wouldn’t know why. Seems a bit rough around the edges so far. I’ll try to reindex and attempt again. I really want this to be the product I use since it’s a nice AIO solution but we’ll see.

            Edit:

            [~]$ podman run --rm -i -t -v kanidm:/data \
                kanidm/server:latest /sbin/kanidmd reindex -c /data/server.toml
            error: unrecognized subcommand 'reindex'
            

            Phew boy. Straight from the docs. Same with the vacuum command.

            Looks like the docs need updated to specify the command is kanidm database reindex -c /data/server.toml

            And further upon trying to login…

            300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO     handle_request [ 188µs | 0.00% / 100.00% ]
            300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO     ┕━ request [ 188µs | 72.94% / 100.00% ] method: GET | uri: /v1/auth/valid | version: HTTP/1.1
            300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO        ┝━ handle_auth_valid [ 50.8µs | 25.54% / 27.06% ]
            300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO        │  ┝━ validate_client_auth_info_to_ident [ 2.85µs | 1.51% ]
            300e55b7-e30a-42a5-ac3e-ec0e69285605 WARN        │  │  ┕━ 🚧 [warn]: No client certificate or bearer tokens were supplied
            300e55b7-e30a-42a5-ac3e-ec0e69285605 ERROR       │  ┕━ 🚨 [error]: Invalid identity: NotAuthenticated | event_tag_id: 1
            300e55b7-e30a-42a5-ac3e-ec0e69285605 WARN        ┕━ 🚧 [warn]:  | latency: 204.504µs | status_code: 401 | kopid: "300e55b7-e30a-42a5-ac3e-ec0e69285605" | msg: "client error"
            

            I think I’m gonna have to just nuke it and start fresh but yeah, this is not a great first impression at all.

            • @[email protected]
              link
              fedilink
              English
              18 months ago

              I mean, it is a bit rough, they’re not at 1.0 yet, also: are you looking at the stable or latest docs? That may be the reason the commands do not match with the docs.

              • @[email protected]
                link
                fedilink
                English
                18 months ago

                I will have to check. Still willing to try again. I’ll update if i get it going better on round 2.

                Thanks for the hint about the docs. I hadn’t thought of that.