Open Source alternatives for Oauth2 server?

Ballzer0 · December 27, 2021, 1:06am

Im building an app in my spare time that im hoping to open-source.
Its a peppol-catalogue3.0 tool.

The backend is written in golang

I’m currently investigating how to do authentication and authorization for the app. The app will have 3 different user scopes:

Submitters: companies submitting data to us (they want to register their own auth provider)
Reviewers: the company i work for. (want to use our own auth provider: Azure AD)
Consumers: our customers. (they want to register their own auth provider)

I want the app to have its own user database, but allow external authorization providers using a Oauth2 token exchange flow.
for example:

client hands backend google token,
backend responds with a valid token for my app

Are there any cool open source projects i should look into? or is it better to build my own auth?

risk · December 27, 2021, 2:02pm

Hi

Welcome to the forums.

I haven’t really found anything that’s nice that can just run as a library.

What I see lots of people doing is they use things like Authelia and handle auth/identity externally, and enforce it’s use via a reverse proxy.

The backend behind the reverse proxy gets the Remote-User and Remote-Group and so on headers.

Similar story with Caddy, not a library but there’s this authp thing, which I think is nicer, but is just not as popular as Authelia. I think it’s not as flexible around various types of auth (3FA? - client machine cert+2FA is easy in athelia but not in authp) and is not as sysadmin friendly, but you can if you want only use the “authorization” part of authp if that’s the only thing you need.

In short – it’s all one big complicated mess; start with authp.

Ballzer0 · December 27, 2021, 2:30pm

My app would have to be able to show “log in with facebook” if the specific submitter picks that authenticator for their company.

if a submitter pick “log in with azure ad” as their provider, it would hide the “log in with facebook” button.

its important in enterprise software to remove the options that are irrelevant for the end-user.

essentially, each company submitting data to us would have their own configuration of “allowed authentication providers”

risk · December 27, 2021, 3:06pm

How do you plan to handle submitter lifecycle, and how do you plan to differentiate between submitters? Do they just get a subdomain of their own at some point once they register, like we see with e.g. workday?

Neither authelia nor authp support having their config determined dynamically, buy e.g. with caddy you could reload the config without shutting down the servers or dropping connections. You could generate the caddy config, and trigger config reloading dynamically?

If your number of subscribers grows, you could shard the config … heck, you could even have a caddy authp process instance per submitter subdomain, all of them could point at the same backend?

You use the reverse proxy as a library,… in a subprocess of some kind…
… it wouldn’t be pretty, but do you care?

risk · December 27, 2021, 4:48pm

Heh, now you’ve sent me down a rabbit hole.

There’s a thing called: https://goauthentik.io/ – yet another thing that claims to be a silver bullet for all authentication out there.

It claims to support a decent number of integrations that can pass an encrypted jwt, which is all good, and has some API mentions in it’s docs. No idea how “dynamic” its config is.

Ballzer0 · December 27, 2021, 9:49pm

ive also gone down the rabbit hole for the past couple of days. But i just found this https://oauth.net/code/go/

And had a look at the library linked there https://github.com/ory/fosite
it looks like a bit of work, but i think i can use this to achive what i want. its all the components i need to setup my own Oauth2 server and extend it with the functionality i need.

Its not a magic bullet, but it really looks like these guys did the groundwork im looking for.