What’s everyones recommendations for a self-hosted authentication system?
My requirements are basically something lightweight that can handle logins for both regular users and google. I only have 4-5 total users.
So far, I’ve looked at and tested:
- Authentik - Seems okay, but also really slow for some reason. I’m also not a fan of the username on one page, password on the next screen flow
- Keycloak - Looks like it might be lighter in resources these days, but definitely complicated to use
- LLDAP - I’d be happy to use it for the ldap backend, but it doesn’t solve the whole problem
- Authelia - No web ui, which is fine, but also doesn’t support social logins as far as I can tell. I think it would be my choice if it did support oidc
- Zitadel - Sounds promising, but I spent a couple hours troubleshooting it just to get it working. I might go back to it, but I’ve had the most trouble with it so far and can’t even compare the actual config yet
Awesome. Thank you.
Now to see how i make this work in k8s since they evidently mandate the cert inside instead of just allowing the ingress to have it.
Yeah, sounds like a security feature… I was able to configure Traefik to connect with TLS, verifying the peer certificate.
I could do this but sadly even just the trial did not work. I’m using podman but it gives me “invalid state” just trying to login with a user per the quickstart, etc. Can’t reset the password cleanly, can’t add a passkey via bitwarden, etc.
Unsure if I’m doing something wrong or if it’s very alpha/beta.
I didn’t have any issues, do you see anything in the logs?
0e2475ba-882a-4f61-8938-2642ca80193b WARN │ ┝━ 🚧 [warn]: WARNING: index "displayname" Equality was not found. YOU MUST REINDEX YOUR DATABASE 0e2475ba-882a-4f61-8938-2642ca80193b WARN │ ┝━ 🚧 [warn]: WARNING: index "name_history" Equality was not found. YOU MUST REINDEX YOUR DATABASE 0e2475ba-882a-4f61-8938-2642ca80193b WARN │ ┝━ 🚧 [warn]: WARNING: index "jws_es256_private_key" Equality was not found. YOU MUST REINDEX YOUR DATABASE
I had to drop it for a few days. I got that at some point though. It’s all brand new so I wouldn’t know why. Seems a bit rough around the edges so far. I’ll try to reindex and attempt again. I really want this to be the product I use since it’s a nice AIO solution but we’ll see.
Edit:
[~]$ podman run --rm -i -t -v kanidm:/data \ kanidm/server:latest /sbin/kanidmd reindex -c /data/server.toml error: unrecognized subcommand 'reindex'
Phew boy. Straight from the docs. Same with the vacuum command.
Looks like the docs need updated to specify the command is
kanidm database reindex -c /data/server.toml
And further upon trying to login…
300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO handle_request [ 188µs | 0.00% / 100.00% ] 300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO ┕━ request [ 188µs | 72.94% / 100.00% ] method: GET | uri: /v1/auth/valid | version: HTTP/1.1 300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO ┝━ handle_auth_valid [ 50.8µs | 25.54% / 27.06% ] 300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO │ ┝━ validate_client_auth_info_to_ident [ 2.85µs | 1.51% ] 300e55b7-e30a-42a5-ac3e-ec0e69285605 WARN │ │ ┕━ 🚧 [warn]: No client certificate or bearer tokens were supplied 300e55b7-e30a-42a5-ac3e-ec0e69285605 ERROR │ ┕━ 🚨 [error]: Invalid identity: NotAuthenticated | event_tag_id: 1 300e55b7-e30a-42a5-ac3e-ec0e69285605 WARN ┕━ 🚧 [warn]: | latency: 204.504µs | status_code: 401 | kopid: "300e55b7-e30a-42a5-ac3e-ec0e69285605" | msg: "client error"
I think I’m gonna have to just nuke it and start fresh but yeah, this is not a great first impression at all.
I mean, it is a bit rough, they’re not at 1.0 yet, also: are you looking at the stable or latest docs? That may be the reason the commands do not match with the docs.