Authelia as an authorization provider

Authelia is about to release a major update, that adds OAuth 2.0 Pushed Authorization Requests. Would this allow it to be used as an authorisation provider to misago?

I have a less than full understanding of auth in general. This is an expansion of functionally from authelia. Strictly they do not provide oauth 2 support. Except as a subset of an incomplete OIDC implimentation (which is nevertheless both useful, and widely used). It struck me that it definitely wouldnt work before, but that the latest version might make it possible.

Authelia is the lightest, simplest, most complete auth for self hosting. I want to see if I can have misago work with it. If I can't I will pursue different forum options. It is contrary to the ethos of the services that I provide to my users to delegate auth to a third party, and I do not want to commit my stack to a heavyweight complex solution (like Keycloak or authentik) for the sake of one service. I do need SSO and central source of truth (I use lldap behind authelia and that allows users self set and reset with password and 2fa).

I haven't entirely got my head around it, but I think you are correct. If I can just backtrack, I use authelia in two ways. Firstly in conjunction with the reverse proxy it allows (or doesn't) access to a particular service. So a forward from the reverse proxy can be set to go via authelia (with the option to bypass, one-factor, or two-factor). This is, of course, irrelevant to this issue.

Having logged in to the authentication portal, the service is presented, and one can use authelia as the authentication and authorisation server for the service. ie. Sign in, based on authelia hosted credentials.

So if misago is the service, can it utilise the endpoints that authelia provides? I've had a look, and I think it can*. What I don't know is how misago can handle that. How to map authelia provided scope to misago (username, displayname, email, avatar, etc) authenticated users. How to automatically create a user that does not already exist in misago.

I realise that you are asking me these sort of questions, I am trying to frame it in a structure that I understand, and is driven by what I actually want to get to. Of course this is all completely irrelevant if authelia can't provide an endpoint that conforms to misago's expectations.

• The openid-connect implementation of authelia includes an OAuth 2.0 Endpoint.

The best current example that I can find, which seems to be OAuth 2 rather than explicitly OIDC, is Hedgedoc. I have set this up exactly as the Hedgedoc/authelia integration guide. This appears to work as expected. When the hedgedoc service is connected to, it displays an un-authenticated instance. Choosing "Sign In" offers the option "Sign in via Authelia"

Accepting that logs the authelia authenticated user in to hedgedoc.

That would be functionality that I would like.

[extended discussion almost certainly out of scope]

Before the internet became the wild west, my forum members used to log in with "comedy" guest names, to make amusing posts in the 'style' of a well known character. "E.L. Wisty", "img" etc for making anonymous posts attributed to a particular style. We have had to curtail that, and enforce logging in to eliminate spam. It seems to me that it might be possible to allow certain misago endpoints through the reverse proxy auth, such that read only access could be enabled using authelia access control. Then it might be possible to log in to misago using 'reserved' usernames (with no password, or a published password, but not insecure because log in to the reverse proxy would be necessary to have access to the login portal in misago), that are not part of the authelia auth system....and then also be able to log in as a user authorised and authenticated through authelia.

So the cherry on the top would be that:
a. I could bypass the authelia/reverse proxy integration just for read only access to misago
b. I could log in to the authelia portal and then:
i. Log in as a misago user
ii. Log in as an authelia user, who is mapped (or created as) a misago user who can only log in via authelia

I'm trying to have a look at it.

Firstly I'm trying to build and deploy misago under podman.

I believe that to be correct. Those are the discoverable endpoints, according to the authelia documentation.

I'm currently not making much headway with this.

I need to know a lot more about oauth, and what misago needs, to be able to do so. I'm looking into it alongside other things.

This is the work done on authelia, in regard to open ID connect (and the underlying oauth2).

Is there anything here that suggests that there is a possible route for authentication for misago (or something that suggests it's not possible)?

Beta 1

complete v4.29.0

Feature List:

• User Consent
• Authorization Code Flow
• OpenID Connect Discovery
• RS256 Signature Strategy
• Per Client Scope/Grant Type/Response Type Restriction
• Per Client Authorization Policy (1FA/2FA)
• Per Client List of Valid Redirection URI’s
• Confidential Client Type

Beta 2

complete v4.30.0

Feature List:

• Userinfo Endpoint
• Parameter Entropy
• Token/Code Lifespan
• Client Debug Messages
• Client Audience
• Public Client Type

Beta 3

complete v4.34.0

Feature List:

• Proof Key Code Exchange (PKCE) for Authorization Code Flow
• Claims:
  • preferred_username - sending the username in this claim instead of the sub claim.

Beta 4

complete v4.35.0

Feature List:

• Persistent Storage
  • Tokens
  • Auditable Information
  • Subject to User Mapping
• Opaque RFC4122 UUID v4’s for subject identifiers
• Support for Pairwise and Plain subject identifier types as per OpenID Connect Core (Subject Identifier Types)
  • Utilize the pairwise example method 3 as per OpenID Connect Core (Pairwise Identifier Algorithm)
• Claims:
  • sub - replace username with opaque random RFC4122 UUID v4
  • amr - authentication method references as per RFC8176
  • azp - authorized party as per OpenID Connect Core (ID Token)
  • client_id - the Client ID as per RFC8693 Section 4.3
• Cross Origin Resource Sharing (CORS):
  • Automatically allow all cross-origin requests to the discovery endpoints
  • Automatically allow all cross-origin requests to the JSON Web Keys endpoint
  • Optionally allow cross-origin requests to the other endpoints individually

Beta 5

complete v4.37.0

Feature List:

• JWK’s backed by X509 Certificate Chains
• Hashed Client Secrets
• Per-Client Consent Mode:
  • Explicit:
    • The default
    • Always asks for end-user consent
  • Implicit:
    • Not expressly standards compliant
    • Never asks for end-user consent
    • Not compatible with the consent prompt type
  • Pre-Configured:
    • Allows users to save consent sessions for a duration configured by the administrator
    • Operates nearly identically to the explicit consent mode

Beta 6

in progress v4.38.0

• OAuth 2.0 Pushed Authorization Requests

Beta 7

not started

Feature List:

• Prompt Handling
• Display Handling

See OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers).

Beta 8

not started

Feature List:

• Revoke Tokens on User Logout or Expiration
• JSON Web Key Rotation

General Availability

not started

Feature List:

• Enable by Default
• Only after all previous stages are checked for bugs

Miscellaneous

This stage lists features which individually do not fit into a specific stage and may or may not be implemented.

OpenID Connect Dynamic Client Registration

not started

See the OpenID Connect website for the OpenID Connect Dynamic Client Registration specification.

OpenID Connect Back-Channel Logout

not started

See the OpenID Connect website for the OpenID Connect Back-Channel Logout specification.

Should be implemented alongside Dynamic Client Registration.

OpenID Connect Front-Channel Logout

not started

See the OpenID Connect website for the OpenID Connect Front-Channel Logout specification.

Should be implemented alongside Dynamic Client Registration.

complete v4.34.0

See the IETF Specification RFC8414 for more information.

OpenID Connect Session Management

not started

See the OpenID Connect website for the OpenID Connect Session Management specification.

End-User Scope Grants

not started

Allow users to choose which scopes they grant.

Client RBAC

not started

Allow clients to be configured with a list of users and groups who have access to them.

Preferred Username Claim

complete v4.33.2

The preferred_username claim was missing and was fixed.

Yes, and I have it working in an app using oauth2 ( hedgedoc ). I just can't work out the misago end settings to make it function.

I've got it redirecting to authelia as the auth provider. I have authelia confirming the request for auth and to share the scopes. I have it redirecting back to misago.

Misago isn't getting an access token, or the userinfo.

So I am not understanding what request misago has to make, and where/how the access token is to be found. So that's part how authelia serves it, part how to structure the settings in misago to access it.

I've made an enquiry asking this.