Disable Local Login After Enabling Authentik OIDC #730
Comments
|
So this is about initializing the authentication flow automatically in case the user is not logged in, rather than manually having to press the login with OIDC button? |
|
That's correct, yep! Currently on the login page it still gives the option to login with the built-in username/password, or to click the OIDC login option. |
|
@sissbruecker I kind of had the same issue, to a degree. I noticed that when the setting |
|
@sprjr Currently that is how the option works, as soon as you configure an auth proxy other authentication methods get disabled. Why do you want to enable both? I don't know if there is a setup where this makes sense. Theoretically your reverse proxy should deny you access to the linkding instance unless you are authenticated in the auth proxy. So even if someone wanted to access the login page, they can't unless they are authenticated in the auth proxy. If you can access the login page without being authenticated in the auth proxy, then something is wrong with your setup. That would mean that anyone who has access to your instance can bypass the login by just passing a username header in the HTTP request. |
|
Perhaps I misphrased it. I do not want to enable both. However, when I set it to true this morning it became an "all or nothing" situation. If it was sent to true then I could log in with neither password or OIDC login. If I set it to false which I currently have, then I can log in with both password and OIDC. |
|
When you properly configure an auth proxy, other authentication methods don't make any sense. No one can access the login page without already being authenticated in the auth proxy. If someone can access the login page, then they are already authenticated in the auth proxy, and don't need to use username+password or OIDC anymore. I'd say this works as intended. |
|
I don't think we're correctly lining up. I can provide my config if that might make things easier? I have set up my auth proxy, but if I set If I set |
That sounds like something is not set up correctly. If you want to use proxy auth, you need to configure your reverse proxy (nginx, Traefik, etc.) to redirect you to your auth proxy if you are not authenticated. |
|
@sprjr I'm realizing your issue - OIDC is different from proxy authorization. That setting is not supposed to be enabled if you want OIDC login. However I still have my same issue - is there a way to force the login screen to only be the Authentik OIDC login, instead of the landing page with the option to login with either the Linkding credentials or the OIDC button? I've been unsuccessful in figuring this out so far, if its possible. @sissbruecker - this is a very well done app, with such rapid progress, appreciate your engagement on the issues threads. |
|
Ah thank you, I didn't realize I had my terminology wrong. I'd appreciate the same feature, since ultimately that's what I was getting at. Forcing OIDC and removing password login would be great. |
|
I'd also like this feature, possibly with an automatic redirect to the OIDC provider. I'd also be open to implement it myself, if you need/want the help. |
Hi all, just wanted to see if this is an option somewhere, or if not, humbly request if it could be added. I've gotten Authentik working for SSO via OIDC for Linkding, and it seems to be working correctly (fingers crossed the mobile app and browser extension don't have errors).
However, I was hoping to bypass the login screen where it's merely an option to choose the OIDC login, and force it to the Authentik login page instead.
I know this is something requiring explicit toggling for other apps (Nextcloud and Bookstack for instance) - did not know if that was already the case here, and if so how.
The text was updated successfully, but these errors were encountered: