-
icebound.dev
> I've wanted to set up an XMPP server for my hackerspace for a long time. We sort of have a rule to only add stuff that does OIDC. How can I do that? > > What options are there? I don't care much whether it is ejabberd, Prosody, Snikket, something else... but OIDC is really important in this case. > > We use Authentik for SSO and Traefik as a reverse proxy, so ACME queries for the XMPP server would also have to be proxied. > > Anyone here using OIDC? What does your setup look like? You would likely need to write a plugin for this ↺
-
icebound.dev
I don't see why prosody/ejabberd couldn't integrate into OIDC, using the identities provided and appending the server FQDN to form the JID
-
icebound.dev
but to be honest integrating it is likely to be difficult
-
icebound.dev
Also this would likely need to be implemented on the client side end as well...
-
icebound.dev
this would likely need to be standardised and made into a XEP
-
jjj333_p [pain.agency]
> I don't see why prosody/ejabberd couldn't integrate into OIDC, using the identities provided and appending the server FQDN to form the JID afaik on prosody (prob on others too) auth is very modular, its entirely just if the module in question exists ↺
-
jjj333_p [pain.agency]
also supposedly lua is easy to write for
-
icebound.dev
jjj333_p [pain.agency], server side wouldn't be the hard part IMO, its integrating the client side end
-
icebound.dev
OIDC is meant to redirect the client to the auth, and then callback to the server to say it was approved
-
icebound.dev
that means every client needs to be supported individually
-
jjj333_p [pain.agency]
true, though you could just cheeze normal auth and then make you log in via a dmed link
-
icebound.dev
in all honesty having OIDC as a requirement is really stupid.
-
jjj333_p [pain.agency]
https://modules.prosody.im/mod_http_oauth2 exists
-
icebound.dev
> (we need you!)
-
icebound.dev
no client support
-
jjj333_p [pain.agency]
oasis 2 weeks 🧌
-
icebound.dev
gajim would likely be the easiest to support through their plugin system
👍 1 -
icebound.dev
it also therefore doesn't need to be upstreamed
-
icebound.dev
and python is a pretty simple lang, with extensive libs
-
jjj333_p [pain.agency]
theres also a chance that singpolyma would be able to be convinced, which might downstream effect monocles
-
icebound.dev
> theres also a chance that singpolyma would be able to be convinced, which might downstream effect monocles Monocles is easier to convince for features in my experience ↺
-
jjj333_p [pain.agency]
🤷♂️
-
icebound.dev
the IPv6 preference option was a product of my lobbying to arne :p
-
jjj333_p [pain.agency]
i dont run android, i only talk with singpolyma about implementing things for my shit
-
icebound.dev
hah
-
icebound.dev
> i dont run android, i only talk with singpolyma about implementing things for my shit you should probably pick up a cheap android device for testing, I should really repair one of the numerous iOS devices for testing too ↺
-
icebound.dev
very useful when you are an operator
-
jjj333_p [pain.agency]
tbh i only operate for myself and close friends, but once i get oasis to a point where i wanna port to mobile i prob will
-
jjj333_p [pain.agency]
also could probably get pretty far with just an android vm
-
icebound.dev
Good luck_!✎ -
icebound.dev
Good luck! ✏
-
singpolyma
> I've wanted to set up an XMPP server for my hackerspace for a long time. We sort of have a rule to only add stuff that does OIDC. How can I do that? > > What options are there? I don't care much whether it is ejabberd, Prosody, Snikket, something else... but OIDC is really important in this case. > > We use Authentik for SSO and Traefik as a reverse proxy, so ACME queries for the XMPP server would also have to be proxied. > > Anyone here using OIDC? What does your setup look like? <https://modules.prosody.im/mod_auth_oauth_external.html> I think ↺
-
Johannes
> I've wanted to set up an XMPP server for my hackerspace for a long time. We sort of have a rule to only add stuff that does OIDC. How can I do that? > > What options are there? I don't care much whether it is ejabberd, Prosody, Snikket, something else... but OIDC is really important in this case. > > We use Authentik for SSO and Traefik as a reverse proxy, so ACME queries for the XMPP server would also have to be proxied. > > Anyone here using OIDC? What does your setup look like? As others have said, Prosody has OAuth support. But it depends on the OIDC as well. I use Pocket ID, which only has Passkey support, and probably wouldn't work with Prosody AFAIK ↺
-
erebion
> in all honesty having OIDC as a requirement is really stupid. No, it isn't. The migration to SSO took far too long to just undo. 🙄 Anyway, if OIDC is currently not feasible, I could into look whether any of the other methods that Authentik supports are feasible.
-
erebion
> no client support Honestly, an option that just produces a password for the client would also work. We just want to do authorisation for the server via out existing identity provider.
-
jjj333_p [pain.agency]
> > no client support > > Honestly, an option that just produces a password for the client would also work. We just want to do authorisation for the server via out existing identity provider. oh thats very possible with prosody ↺
-
jjj333_p [pain.agency]
theres existing modules for some auth backends, whatever creme [envs.net], uses might work for you
-
icebound.dev
> > in all honesty having OIDC as a requirement is really stupid. > > No, it isn't. The migration to SSO took far too long to just undo. 🙄 > > Anyway, if OIDC is currently not feasible, I could into look whether any of the other methods that Authentik supports are feasible. I guess it has its uses for organisations, but the issue with centralised authentication is that if compromised, or if a user's credentials are leaked, every account is pwned. ↺
-
icebound.dev
I strongly believe in a different account for every service, with a different randomised password + TOTP, one service being pwned therefore can't harm another.
-
icebound.dev
But I do get in organisations, onboarding new members then becomes a huge chore.
-
moparisthebest
icebound.dev: don't forget offboarding
-
singpolyma
>> I've wanted to set up an XMPP server for my hackerspace for a long time. We sort of have a rule to only add stuff that does OIDC. How can I do that? >> >> What options are there? I don't care much whether it is ejabberd, Prosody, Snikket, something else... but OIDC is really important in this case. >> >> We use Authentik for SSO and Traefik as a reverse proxy, so ACME queries for the XMPP server would also have to be proxied. >> >> Anyone here using OIDC? What does your setup look like? > > As others have said, Prosody has OAuth support. But it depends on the OIDC as well. I use Pocket ID, which only has Passkey support, and probably wouldn't work with Prosody AFAIK I don't see why pocket id wouldn't work with prosody? should be fine ↺
-
icebound.dev
> icebound.dev: don't forget offboarding true. ↺
-
erebion
> I strongly believe in a different account for every service, with a different randomised password + TOTP, one service being pwned therefore can't harm another. I believe in an amount of work that the couple people at the hackerspace can actually do, preferrably without getting burnt out.
-
erebion
> But I do get in organisations, onboarding new members then becomes a huge chore. And maintaining access rights. We give some access to everyone that joins us, but more access to members, some other permissions to the board members and admins and so on.
-
erebion
>> >> As others have said, Prosody has OAuth support. But it depends on the OIDC as well. I use Pocket ID, which only has Passkey support, and probably wouldn't work with Prosody AFAIK > > I don't see why pocket id wouldn't work with prosody? should be fine What is Pocket ID?