Comments (10)
Hi,
It would be great to allow integration with LDAP too.
Any thoughts on this?
Thanks and regards
from dashmachine.
Awesome write-up, next time I have some time, I will definitely play around with this. Thanks!
from dashmachine.
@rmountjoy92
If you are speaking about auth against OAuth2, look at this: https://flask-dance.readthedocs.io/en/latest/index.html
In case of Nextcloud (shortly NC) Oauth2, you need to use custom provider (https://flask-dance.readthedocs.io/en/latest/providers.html#custom) and do the following:
- Read DashMachine (shortly DM) config file for:
- Nextcloud instance URL
- Nextcloud OAuth2 Client ID and Secret (generated once in NC Control panel)
- Substitute client_id and client_secret variables with Client ID and Secret from config file accordingly
-
- base_url=NC instance URL from config
- token_url=NC instance URL from config/apps/oauth2/api/v1/token
- authorization_url=NC instance URL from config/apps/oauth2/authorize
- Then you'll get OAuth token, which will be in JSON form and will be stored in Flask session storage or using SQLAlchemy. You'll need to make a callback to DM and make an HTTP GET request to /ocs/v2.php/cloud/user?format=json with following header:
headers = { "Accept": "application/json", "User-Agent": "DashMachine", "Authorization": "{} {}".format(token_type<get this from JSON>, access_token), }
You'll get following JSON answer:{'ocs': {'meta': {'status': 'ok', 'statuscode': 200, 'message': 'OK'}, 'data': {'storageLocation': <redacted>, 'id': <redacted>, 'lastLogin': <redacted>, 'backend': 'Database', 'subadmin': [], 'quota': {'free': <redacted>, 'used': <redacted>, 'total': <redacted>, 'relative': <redacted>, 'quota': <redacted>}, 'email': None, 'phone': '', 'address': '', 'website': '', 'twitter': '', 'groups': [<redacted>], 'language': 'en', 'locale': '', 'backendCapabilities': {'setDisplayName': True, 'setPassword': True}, 'display-name': '<redacted>'}}}
- After you got JSON answer with user data, you need to extract following parameters and sync them with DashMachine DB:
- ocs.data.id (username)
- ocs.data.display-name (Full name)
- ocs.data.groups (NC group membership)
- ocs.data.language (Prefered language)
- Check, whether user is in NC "admin" group. If yes, add him to DashMachine admins. If he already DashMachine Admin, but not in NC "admin", then I prefer to delete from DashMachine admins.
- Check, do NC groups exist in DM config file. Show the content only for groups, which both exist in DM and NC.
Thats how NC Oauth workflow for DM looks. I hope, it will help you in integrating OAuth (especially in conjuction with NC). If I'll have time, I will implement it
from dashmachine.
Agreed.
The lack of backends wouldn't be so bad if you were able to disable the login page. That way we could stick our own auth in.
from dashmachine.
I second this, it would be nice to integrate with Nextcloud OAuth and be able to sync group membership between NC and DashMachine
from dashmachine.
To be totally honest, I don't even know where to start for this lol. I'm using flask login for the auth system.
from dashmachine.
Awesome write-up, next time I have some time, I will definitely play around with this. Thanks!
Thanks!
P. S. Almost forgot to attach some piece of docs, which will help you develop custom OAuth provider interface using Flask-dance: https://flask-dance.readthedocs.io/en/latest/api.html
from dashmachine.
I would like to propose a solutions that doesn't blow up the code base with Identity Provider specific code.
The solution is to put an Auth proxy in front of DashMachine for users who look for advanced Identity Solutions. All popular web servers have a very extensive list of pluggable authentication modules.
The auth proxy would then identify the user and could even do some authorization if needed. The information about the user (userId) or JWT would then be forwarded to DashMachine. DashMachine need just to read and parse the HTTP request headers to login or sign up and login the user.
The concept is called Reverse Proxy Auth or Proxy Auth.
In the Grafana docs one could read how this is done, its fairly simple but powerful. https://grafana.com/docs/grafana/latest/auth/auth-proxy/
Users who use nginx, apache, Caddy, Traefik could all use this concept. There is a whole ecosystem around that concept so its easy to fit everyones need.
- pomerium
- thomseddon/traefik-forward-auth,
- vouch-proxy
- oauth2-proxy
- louketo-proxy aka Keycloak Gatekeeper.
from dashmachine.
@Vad1mo The idea is very nice in my opinion, because it doesn't blow up code base (when I tried to implement NC Oauth, it was required to make some changes in SQLAlchemy Users models.py + add code for identity provider itself (and it is just for single provider) + stuck on frontend changes in order to provide user interface to toggle OAuth authorization). But there are some drawbacks:
- It is not user-friendly (not all users are able to configure web server properly) + in some cases it is required to run separate OAuth proxy (like Vouch) and thus it will lead to increased resource consumption of the server (remember, that there are lots of people, who selfhost on RPi)
- It doesn't fit my needs: I need OAuth (in my case via Nextcloud) and ability to configure user premissions (via group membership) according to NC JSON response. Maybe I don't understand, but I didn't find a way to do this on OAuth proxy side without rebuilding proxy or its Docker container or some provider-specific code in Dashmachine auth is required. If there is a way to bypass it, fell free to share.
@rmountjoy92 Whether Dashmachine will use Proxy Auth or Oauth via Flask, there is one problem, which I want to discuss: role and group management. For example, I assign user to multiple groups in NC in order to give access to Dokuwiki (if he is in wiki group), Jupyterhub (if he is in jupyter group) and so on. In the same time it allows me to manage access to files from these services. But, as I understand, user in Dashmachine can have only one role and this creates one problem: if both of NC groups are defined in DM config as roles, they are at the same level at role hierarchy and user is member of both of them, how to assign role to user during OAuth login? In order to avoid this, I suggest several solutions:
- Ditch roles and let groups manage user permissions (and user can be member of multiple groups)
- Let roles to manage access to settings and so on, and groups will manage access to cards. In this case user can have only one role (if he is NC admin, he'll be DM admin, others will get to user or public_user role), but be member of multiple groups.
- Let user to assign role priority via DM config (but it is not flexible, as first 2 optiions)
This is the most important barrier on the way to implement NC OAuth support with user permission management via NC groups.
from dashmachine.
Any updates on this?
from dashmachine.
Related Issues (20)
- jinja2.exceptions.UndefinedError: 'tcdrop' is undefined
- I can't make it run on Ubuntu Server 20.04 - on rpi HOT 4
- [issue v0.5-4.1] Plex data source not working - continues to 'load' HOT 9
- Docker Container not working
- More icons
- Add google search as "app" or in searchbar?
- ..
- [Bug] alembic 1.7.7 has requirement SQLAlchemy>=1.3.0, but you'll have sqlalchemy 1.2.18 which is incompatible
- [Feature request] Production-ready server
- [Question] How to change python server port ?
- Need image for linux/arm64/v8
- Latest Docker update seems to have broke ARM V7 image HOT 1
- Weather 'info' panel is not working as metaweather.com is down
- booting worker limbo issue
- FEATURE REQUEST: Smaller App Cards or Larger Collection Cards
- Responsible disclosure policy
- Add support for Flask-sqlalchemy 3.x
- BUG: Dashboard doesn't start HOT 1
- Security Vulnerability - Arbitrary File Deletion via HTTP GET /tcdrop/deleteCachedFile
- Change language on DashMachine
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dashmachine.