Local Authentication #1881
Comments
Voila, a fully self-hosted instance with no external dependencies like web-oauth or smtp. |
|
Looking at passport.js and the current providers, it seems a local datastore would be needed to store/validate the local users. Unfortunately, passport doesn't seem to provide this (only verification).
From this point on, the community could test this functionality. The UI for password reset/change can then be added at a later step.
This is already done with env variables if I'm not mistaken. |
|
I don't see the CLI as being needed, the first ever sign-in on self-hosted automatically creates the team and becomes admin already. I see something like this as a bare minimum set of functionality, you can't have password auth without the ability to reset passwords... Backend
Frontend
|
|
Thank you for this nice explanation. I was including command line as I was envisioning a scenario where email SMTP settings weren't provided and the person installing would just like to have a user account for himself or herself, and thus would create it using the command line (probably through docker). However if using the existing SMTP/email infrastructure make it easier to create and maintain, this is probably much better. |
|
Hello, I'm trying to have a take at making local auth a reality, but I stumble upon difficulties in the implementation. Is it best to ask it here or to open a discussion on Github ? |
|
This is good to ask! Feels like filing a draft Pull Request against this
repository seemed a good use of GitHubs discussion features around code
changes.
Given we are in good exchange here, what is it that concerns you?
…On Fri, 30 Apr 2021 at 18:29, slurdge ***@***.***> wrote:
Hello,
I'm trying to have a take at making local auth a reality, but I stumble
upon difficulties in the implementation. Is it best to ask it here or to
open a discussion on Github ?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1881 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMRV7EBRNI5HHTFZYTSFELTLLLIFANCNFSM4XQW4LZQ>
.
|
|
I'm trying to follow the steps outlined by @tommoor above, but I'm not fluent in the framework used. // @flow
import passport from "@outlinewiki/koa-passport";
import { Strategy as LocalStrategy } from "passport-local";
import jwt from "jsonwebtoken";
import Router from "koa-router";
import passportMiddleware from "../../middlewares/passport";
const router = new Router();
const providerName = "local";
export const config = {
name: "Local Account",
enabled: true,
};
const strategy = new LocalStrategy(
function(username, password, cb) {
console.log("getting username...")
return cb(null, { name: username });
})
strategy.name = "local";
passport.use(strategy);
router.get("local", (ctx) => (ctx.body = "OK"))
router.post("local", passport.authenticate(providerName));
router.get("local.callback", passportMiddleware(providerName));
export default router;I also modified Providers login to have a special case of form if the provider is "local", which post to "/auth/local" However I can't hit the callback in the strategy, I always have an error when I hit the route My plan was first to be able to have a fake user, then have a real user with a manual password in the DB, then go from there. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Ugh. Guys. Sorry for the unproductive comment, but It's such a bummer that something with such great potential is essentially made obsolete by something so silly. |
|
I did a bit more try, but without a hint in how to go in the right direction, I fear it would take me quite a bit of time. |
|
I would also like to use this self-hosted with an authentication other than slack or google, but have seen zero documentation on it, just various issues referencing things, most of which are not clear whether they are in the current release or not (due to lack of documentation and examples). If it's the intention to drive more people to use the hosted version, it isn't working, as it wouldn't work in my environment. |
Hi – there's no documentation because it's not a feature that has ever existed in the product. This issue is a request for it to be built. |
|
Ah ok. It gets quite confusing, there are several tickets referencing it,
and most closed, and it's not clear whether things were closed as
duplicates, consolidated, or something was finished and merged in.
But that makes sense, thanks for clarifying. Is there a roadmap (if so, is
this on it?), or is this goin to be something only in the paid enterprise
version, like LDAP support?
Thanks!
…On Fri, Jun 4, 2021 at 11:41 AM Tom Moor ***@***.***> wrote:
I would also like to use this self-hosted with an authentication other
than slack or google, but have seen zero documentation on it
Hi – there's no documentation because it's not a feature that has ever
existed in the product. This issue is a request for it to be built.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1881 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJ445H7U57LH4LEMJIC5ZDTRDXYZANCNFSM4XQW4LZQ>
.
|
|
I saw in the project issue discussion that the custom authentication function may be launched as a commercial function. (Please also point out if I understand it wrong) As a software developer, I think if this is true, it might be a good thing for the development team. After all, income can make the team survive and make the software develop better. However, if the official permission is allowed, I think I can submit a pull request to allow outline to run completely offline, free from various third-party OAuth (slack, ms, google), and let it serve individuals or small teams. I hope it will not affect the planning of the outline official team. If the official team has a clear plan, I also hope that it can be clearly stated in the issue what kind of functional implementation will be merged. BTW I recently tried to complete the self-hosted deployment without changing the outline, and found that the software performed very well. Thanks. |
|
@soulteary , I tried to have a local auth backend but hit a bump somewhere on the road. My understanding is that having a local backend is ok, just that developers have understandably other priorities. |
|
At the time of posting, I had finished and used this software for a week. In fact, there is no need to change much, especially for small teams or individuals. @slurdge At present, I only use declarative configuration to solve authorization, and I have not developed an independent authorization management interface, deauthorization interface, and interface to modify specific member information. I believe that after sharing, anyone can quickly develop the authentication functions they need, such as SAML, LDAP, ANY OAUTH, and independent mail login functions, but this may be related to the concerns mentioned in my previous post. In the previous discussion, I saw the hard work, business planning and opinions of the official team for self-deployment and certification. Therefore, I think in order to respect the development team and protect the future development of the outline, it is best to obtain authorization to do so. |
|
@soulteary It's exciting to hear about that you've done. I'm looking forward to being able to use this with a team I'm currently working with. Regarding the development team, per chain you linked to, specifically this comment, they are not opposed to the community developing such functionality, and in fact have encouraged it. Doing so should not take away from an Enterprise feature they offer, in my opinion. They likely have no plans to include it in outline's core code, and that's reasonable, but having it as an add on module, middleware, or whatever you'd like tocall it, seems like fair game both in spirit and and documented desires. I would say publish you're branch, let folks do with it what they wish, or go even further and make it more modular as a separate repo of just the non-outline base code. I'd be willing to help with this if you'd like. But that's just my opinion of course. Happy coding. |
|
Thank you for sharing your views. This week I used Outline to replace Confluence, which I have used for more than two years. It is very pleasant. I also hope that more people can easily use this great software.I believe that after more people use it, this software can develop better, and for users, they can get more benefits. Regarding my concerns, I believe I have made it clear above, let us wait for the official response. By the way, privatization deployment is actually only the first step, and the follow-up may also involve content migration, attachment management, some localization changes, more resource display, and so on. In the following post, I mentioned what I did during use and what I planned to solve. |
|
hello @tommoor , could you help us clarify the official position regarding this ?
If it's only a matter of configuration files for individuals, it would be easier to integrate in the base IMHO. @soulteary From what I understand the architecture is already pluggable with any auth you may want, it's just it will not be provided in then open source package (see Microsoft ticket). |
Honestly I'm not too interested in supporting a solution like this, it feels like a kludge that would end up being a perpetual maintenance burden. How are you handling passwords with this configuration-based setup? |
|
It's a real bummer that something as basic as local user authentication isn't there, especially since on the frontpage of the main website you see this: "Outline’s source code is public, and the editor is open source so the community can help improve it too. Prefer to host on your own infrastructure? No problem." Google Authentication isn't hosted on my own infrastructure. Not no problem. Big problem. We're not talking about a plugin here, but core functionality. Disappointing, I was really looking forward to self-hosting this, but I'll have to pass. At the very least, the frontpage of the website should be updated to remove that last bit from under the "Open source" card, if local authentication will never be implemented, because it implies the solution in its base entirety can be self-hosted (which inherently means without external dependencies, right?). |
You can use RedHat KeyClock to create your own oauth server, then you can use passport to implement your own strategy. In my opinion, Outline must never implement a local auth. |
I see it more as a documentation issue. I was struggling with the setup too and nearly gave up, but for different reasons: For me it was the setup of minio, which I later found out isn't even necessary anymore because there is now the option of local file storage. Unfortunately, the current documentation is written in a way that assumes that you are already familiar with all those systems which makes it difficult to follow if you're not. Also it doesn't seem to be completely up to date with the latest development (c.f local file storage). |
|
This is a pain, I wanted to give Outline a try but the amount of complication to simply get something working for a single user is too much. Sad. |
Jup, i went through this too and i dont unserstand why there is such a highlevel configuration which needt to get setup fully until you have a running instance. After all this was done i thin outline is one of the best Open Source Tools out there. Its a shame that its so complicated to setup. |
|
I cannot speak on behalf of the devs, and I get that deploying Outline isn't as easy as spinning up one docker container but based on it's architecture, Outline was first and foremost built to scale-up so that it could be a viable, succesful, commercial product that can sustain itself and it's creators. Just because it's open source doesn't mean it needs to be easy to use, or not have some (pretty low) "barriers" to entry in order to remain commercially viable. This product is still incredible and free - as in $0! So what if not having local auth perhaps encourages some to use the hosted version? See it instead as an opportunity to learn more about implemeting your own self-hosted authentication (Keycloak, Authelia, Authentik), integrating with the many hosted options that are available (also for free!), or actually reading through some of the comments and realising that someone has done the work for you! There's a reason this project has ~21k stars. TL;DR stop complaining and use something like: |
Frustration isn't driving sales, it's getting people away from the project.
Why not document something like this in the main documentation? |
I agree with this. I was going to use outline for my work as well but went to bookstack because of no local login. I dont need the server to communicate with external pieces. |
21k stars says otherwise.
Why should it be? It's a third party, independent project!
If that's more suitable for you, great! That's the whole point of having a choice. |
Can u tell how many of the 21K Stars use this Project or maybe just starred it to follow up on the development? I wouldnt use this benchmark to proof your point.
Why are you even complaining about the complaints if you have nothing to do with the project or nothing really to say? |
Altruism? The spirit of Free software? The example of other free/open source software projects? Free advertising and spreading product familiarity through co-operation? (e.g. the like of "Oh, I or my friend uses this personally and really likes it, I'll recommend to my friend/boss to use it") I mean, the real question is; if someone creates a PR to add such to the docs, would it be accepted? Would an easy individual login PR be accepted? |
|
Outline is not free software in the literal sense. The BSL in use dictates that the source code becomes free two years after release. Maybe in this case, assuming you are accepting the license conditions and want to use it within the accepted restrictions, it is fair not to use the same evaluation criteria as, for example, when compared to GNU software?
I think the answer to your questions lies in trying it out: (1) to refresh the documentation and to offer some paragraphs about how people have answered the authentication requirement, plus (2) to answer the question, why the total LoC should be amended with a section to support an additional secure and reliable (password reset, enabling/disabling) authentication mechanism, if a widely tested and supported option already exists? Maybe it's like with the law: just because you are not aware about the option to deploy your own minimal identity provider (IdP), does not mean it does not exist/apply. It's a sufficient condition to running Outline, and there are plenty examples on how to achieve this. We have all the faith in the world that you are able to replicate them. Else:
And please note that other software such as gristlabs/grist-core, here FLOSS, also comes without local authentication, and relies completely on an IdP. This is the cloud-native, microservice era of application design, which somewhat reflects the UNIX philosophy of small tools that do one thing well in running web services. From my perspective, I'm already happy that Outline doesn't depend on commercial services, like Firebase in pubpub pubpub/pubpub#1470, and that I can use it without limitation in our not-for-profit communities. In return I'm providing technical feedback and participation in the support community. For me it's a fair deal. It may not be for others. |
|
I dont like how this thread is all about thinking in black and white. I think everybody would be perfectly fine if the dev would say "Im not doing this". Yes, its may be the new "cloud native" way and yes, it may be easier to maintain and its perfectly fine if the dev decides not to implement basic LDAP or local auth. But also - since this is open source - its perfectly fine to ask for such things and i guess you guys need to get over it and accept that some people want this and ask for it. |
|
The problem is that these people complaining are just coming in to cry on that thread. We don't see them coming on the discussions and helping others. We don't see them sponsoring the repo. We don't see them opening new issues and track bugs. We don't see them contributing to the various translation works... And I could continue the list. Do they need a quick setup just to try outline ? Then they could use the free trial on the cloud version. Do they need a setup to self host ? Most of the self hosting community already has a kind of centralized SSO for their various "apps" and don't use or like having a local auth anyway. Do they lack the knowledge to do so ? There is a complete Debian tutorial written by a member here, there are a few docker based scripts that you could find around and a one click installation script on Yunohost maintained by myself. Yes, their request is legit but honestly I don't see the point. Finally, if this was a real need there would already be a PR made by a nice guy who needs it and has the knowledge of doing it. Should that PR exist and be properly done I'm sure it would be merged. It's not as if the dev was refusing or closing an existing proposed code for local auth. And even if that was the case you could always use a fork of some kind (provided you respect the licence). |
|
Yes, if the desire expressed in this issue would not be respected by the project maintainers, it would already be rejected and closed. |
|
""Most of the self hosting community already has a kind of centralized SSO for their various "apps" and don't use or like having a local auth anyway. Do they lack the knowledge to do so"" @Limezy This is honestly a very lazy answer, and I suspect you know it. It's not accurate and not fair to the self-hosting community. |
|
I won't launch another useless anonymous debate but please think twice before qualifying as "lazy" and "unfair to the self hosting community" someone who has worked countless hours to create and maintain a one-click installation for Outline (through the Yunohost project) including a fully working local authentification (local = not dependent on external social networks since it goes through the Yunohost native user management) |
|
@Limezy I am in no way insulting any of that work. Thank you for your contributions. I am most thankful for a side project that integrates OIDC for a semi local auth feel: https://github.com/vicalloy/outline-docker-compose I am only saying it in that tone due to the extreme generalizing statements you made about the community. Please poll or do your own research and supply that as a supporting argument if you plan to take such a strong tone and stance. |
|
Have you seen my comment?? No need to install anything. It's working out of the box
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Jesse Russell ***@***.***>
Sent: Wednesday, December 27, 2023 12:19:20 AM
To: outline/outline ***@***.***>
Cc: Oussama Boumaad ***@***.***>; Comment ***@***.***>
Subject: Re: [outline/outline] Local Authentication (#1881)
I am in no way insulting any of that work. Thank you for your contributions. I am most thankful for a side project that integrates OIDC for a semi local auth feel: https://github.com/vicalloy/outline-docker-compose
I am only saying it in that tone due to the extreme generalizing statements you made about the community. Please poll or do your own research and supply that as a supporting argument if you plan to take such a strong tone and stance.
—
Reply to this email directly, view it on GitHub<#1881 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AB2JXSXESKRQN43JGYWXTADYLNLPRAVCNFSM4XQW4LZ2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBWHE4DCNRZGA4Q>.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
My personal opinion as someone who was put off using outline partially because of this issue is that:
In my opinion you could resolve this issue for a portion of users if you have example docker-compose files (or some kind of more extensive documentation) with local SSO deployment examples for users who just want to try/deploy this without:
Those are the things that I'm against the most. Take this with a grain of salt, my experience setting up outline is 2 months out of date at this point. |
How can I use Synology SSO Server to achieve single sign on? |
And that should be it. Just make sure that all URLs are exactly as they appear in your browser address field, especially the redirect URI. If you want to support multiple URLs (e.g. HTTP and HTTPS) you can just add another redirect URI with "+ Add Field" in "Synology SSO Server". Here's my entire compose.yaml that I use in Synology Container Manager, I'm not using the .env file:version: "3.7"
services:
outline:
image: outlinewiki/outline:latest
ports:
- "3002:3000"
depends_on:
- postgres
- redis
volumes:
- ./storage-data:/var/lib/outline/data
environment:
NODE_ENV: production
SECRET_KEY: ### REDACTED ###
UTILS_SECRET: ### REDACTED ###
# HTTP
URL: https://outline.example.com
PORT: 3000
FORCE_HTTPS: false
WEB_CONCURRENCY: 1
# Rate limiter
RATE_LIMITER_ENABLED: true
RATE_LIMITER_DURATION_WINDOW: 60
RATE_LIMITER_REQUESTS: 600
# Authentication
OIDC_CLIENT_ID: ### REDACTED ###
OIDC_CLIENT_SECRET: ### REDACTED ###
OIDC_AUTH_URI: https://sso.example.com/webman/sso/SSOOauth.cgi
OIDC_TOKEN_URI: https://sso.example.com/webman/sso/SSOAccessToken.cgi
OIDC_USERINFO_URI: https://sso.example.com/webman/sso/SSOUserInfo.cgi
OIDC_USERNAME_CLAIM: username
OIDC_SCOPES: openid groups email
# Storage
FILE_STORAGE: local
FILE_STORAGE_LOCAL_ROOT_DIR: /var/lib/outline/data
FILE_STORAGE_UPLOAD_MAX_SIZE: 26214400
# Database
DATABASE_URL: postgres://outline:***REDACTED***@postgres:5432/outline
PGSSLMODE: disable
# Redis
REDIS_URL: redis://redis:6379
# Other
LOG_LEVEL: info
ENABLE_UPDATES: true
DEFAULT_LANGUAGE: de_DE
redis:
image: redis:7
expose:
- 6379
command: redis-server
postgres:
image: postgres:16
expose:
- 5432
environment:
POSTGRES_USER: outline
POSTGRES_PASSWORD: ### REDACTED ###
POSTGRES_DB: outline
volumes:
- ./postgres-data:/var/lib/postgresql/data |
|
Hi, you can use https://dexidp.io/ and use the local Oh and if you are using NixOS, here's the easy walk-through: https://nixos.wiki/wiki/Outline |
|
Yep I'm using dex too for the Yunohost version of Outline ! Very convenient |
|
Didn't know about Given all the small- and medium-scale SSO options that exist for Outline, this issue shouldn't stop anyone from running it with minimal extra effort in contrast to the requirements of this issue. Additionally, I was thinking, if in the mean time it would be possible to meet halfway. Outline already has some kind of local authentication with the magic email login link that is sent to collaborators, whose accounts will become just regular members in a team space. They will not differ in role or capabilities in comparison with SSO users. This means what is left would be the bootstrap question of the first user. Django applications know the In dream code, I would want to run the following commands, and be sent an invitation email to join my Outline instance as a super user: # as a package.json script
docker compose exec outline npm run createsuperuser <username> <email># as an argument to the Outline CLI
docker compose exec outline npm start createsuperuser <username> <email>The exact nomenclature is left to the person implementing the feature. If it gave even more convenience, an euphoric programmer could provide an What do you think? This intervention should be minimally intrusive, and allow for self-hosted Outline instances without OIDC SSO configured. Edit: This command is already here. As seen on: under the headline Authentication:
Someone interested in this feature should check if this is already enough to bootstrap an instance with an admin user that can then invite further users via email. The main reason why there is no local authentication is to avoid handling passwords. The email magic link login provides a kind of local authentication, when SMTP is configured. |
|
It is still doesn't work on latest version, correct sequence of commands: |
|
It would still be nice if an additional service like dex wouldn't be necessary. |
|
A lot of reading later :) Sources / Credits#1881 (comment) Steps
Docker compose fileDocker env filebackup.shrestore.sh |
|
So, even using custom SSO not every account works. I added SSO LDAP and.. nothing happened. Because Who said "teams don't use local, teams use sso\ldap"? Looks like its time to say "teams use exact email authentification, not a single step aside". Looks like self-hosted \ enterprise on-premise SSO is also not an option and whole project is made for cloud-based setups only. So to implement Outline in my organisation I need to change whole UPN logon generation policies to cloud-based Azure-style ones. Nope, It's not for "most teams" either. Pity. |
I don't like the fact that you need a Google or Slack account. I'm sure you'll scare off a lot of people with that. Have a lot of interest in this app, but would never think of hosting something myself, but still have the users go through another service.
The text was updated successfully, but these errors were encountered: