forgejo/forgejo

Çatalla 843

[FEAT] Please provide authentication via IndieAuth #1692

Yeni Konu

Kapalı

arkdae tarafından 2023-10-30 13:41:35 +01:00 açıldı · 8 yorum

arkdae

2023-10-30 13:41:35 +01:00

yorum yaptı

Dependency references

https://github.com/go-gitea/gitea/issues/21620

Needs and benefits

It seems to me that the IndieAuth authentication protocol is a very good fit to add to Forgejo. I think this is a good way to help move away from signing in via GitHub, GitLab, GitTea etc.

Feature Description

This should be pretty straightforward. I believe IndieAuth works similarly to the existing authentication options (OAuth I'm guessing). You present a text field into which someone can enter a URL. That URL is followed to find the authentication endpoint. The user authenticates with their own domain in however manner they have set up. Successful authentication redirects back to the running Forgejo instance along with an access token.

### Dependency references - https://github.com/go-gitea/gitea/issues/21620 ### Needs and benefits It seems to me that the [IndieAuth](https://indieweb.org/IndieAuth) authentication protocol is a very good fit to add to Forgejo. I think this is a good way to help move away from signing in via GitHub, GitLab, GitTea etc. ### Feature Description This should be pretty straightforward. I believe IndieAuth works similarly to the existing authentication options (OAuth I'm guessing). You present a text field into which someone can enter a URL. That URL is followed to find the authentication endpoint. The user authenticates with their own domain in however manner they have set up. Successful authentication redirects back to the running Forgejo instance along with an access token.

👍 3 ❤️ 1

arkdae

enhancement/feature

etiketini

2023-10-30 13:41:36 +01:00

ekledi

Gusted

2023-11-01 21:03:13 +01:00

yorum yaptı

Sahibi

So I read the webpage and I'm still left figuring out how this is different from OpenID (Connect) in which also a URL is given (usually to your own site) and then black magic happens to authorize it.

caesar

2023-11-01 23:37:55 +01:00

yorum yaptı

Üye

So for example, I can log into https://indieweb.org/ using my personal website as an identity, whereas if I want to log into https://code.forgejo.org/ I can only use Codeberg as an identity provider.

IndieAuth is decentralized (as was the original OpenID). The login name is a URL, often of a personal website. OIDC uses siloed providers (eg Google, GitHub, Codeberg) and the relying party must specifically whitelist each provider. So for example, I can log into https://indieweb.org/ using my personal website as an identity, whereas if I want to log into https://code.forgejo.org/ I can only use Codeberg as an identity provider.

caesar

etiketlerini

2023-11-01 23:40:14 +01:00

ekledi

arkdae

2023-11-02 02:48:31 +01:00

yorum yaptı

Yazar

Thanks for answering caesar. I actually didn't know anything about OpenID. I had only just recently stumbled upon IndieAuth, and thought that was a great idea. There's a simple PHP script that anyone can add to their web site and instantly have their own authentication mechanism.

I've installed Forgejo and I was surprised that my installation includes an OpenID tab which allows me to enter a URL. Surprised, because the demo Forgejo instance does not provide that. I wanted to check first before opening this feature request.

If there is any value in what is said at indieweb.org, then these links regarding OpenID might be useful.

First, at the to of the page:
OpenID

OpenID was a protocol for using a web address as an identity to sign-in to websites; it is losing support, is effectively dead (versions 1 & 2 are both deprecated, sites are dropping support), and has been replaced on the IndieWeb with web-sign-in and IndieAuth.

The OpenID Foundation has obsoleted OpenID and OpenID 2.0 in favour of OpenID Connect which unfortunately does not serve the same goal as OpenID did.

There are more issues regarding OpenID under OpenID Criticism and Why not OpenID.

Regardless, I might try to install OpenID on my web site as I have set up IndieAuth, and see if I can use it with Forgejo. But I must say, if the complexity of OpenID as claimed on IndieWeb is to be believed, it contrasts quite unfavorably as setting up IndieAuth was extremely simple.

Thanks for answering caesar. I actually didn't know anything about OpenID. I had only just recently stumbled upon IndieAuth, and thought that was a great idea. There's a [simple PHP script](https://github.com/inklings-io/selfauth) that anyone can add to their web site and instantly have their own authentication mechanism. I've installed Forgejo and I was surprised that my installation includes an OpenID tab which allows me to enter a URL. Surprised, because the demo Forgejo instance does not provide that. I wanted to check first before opening this feature request. If there is any value in what is said at indieweb.org, then these links regarding OpenID might be useful. First, at the to of the page: [OpenID](https://indieweb.org/OpenID) > OpenID was a protocol for using a web address as an identity to sign-in to websites; it is losing support, is effectively dead (versions 1 & 2 are both deprecated, sites are dropping support), and has been replaced on the IndieWeb with web-sign-in and IndieAuth. > > The OpenID Foundation has obsoleted OpenID and OpenID 2.0 in favour of OpenID Connect which unfortunately does not serve the same goal as OpenID did. There are more issues regarding OpenID under [OpenID Criticism](https://indieweb.org/OpenID#Criticism) and [Why not OpenID](https://indieweb.org/Why_web_sign-in#Why_not_OpenID). Regardless, I might try to install OpenID on my web site as I have set up IndieAuth, and see if I can use it with Forgejo. But I must say, if the complexity of OpenID as claimed on IndieWeb is to be believed, it contrasts quite unfavorably as setting up IndieAuth was extremely simple.

arkdae

2023-11-02 14:31:01 +01:00

yorum yaptı

Yazar

There's one question I forgot to ask. If Forgejo already supports OpenID, why isn't this option available when logging into either the Forgejo demo server, or Codeberg? If I can get Forgejo working with some protocol that allows me to own my credentials, that's great. But it seems to me it would be much better if such a thing were promoted by these hosting services, and it seems like this concept is very much in line with what prompted the creation of Forgejo in the first place.

arkdae

2023-11-02 16:35:37 +01:00

yorum yaptı

Yazar

Here is some more information I have found at SimpleID. This is an OpenID (Connect) provider. It is much more complex to install, and I am not sure my web server has the required software to support it.

Comment from: @strk
Date: Apr 06 2016

Wow now this sounds like a big step backward for federated identities :(
Is there anything a client could do to somehow automate the exchange of cryptographic keys ?
I think I've read something about "providers discovery" in the specs ?

Comment from: @kelvinmo
Date: Apr 06 2016

"Federated" now means federated among big entities, I'm afraid.

There is. The combination of webfinger (https://tools.ietf.org/html/rfc7033), OpenID Connect Discovery (http://openid.net/specs/openid-connect-discovery-1_0.html) and OpenID Connect Dynamic Registration (http://openid.net/specs/openid-connect-registration-1_0.html) will replicate the existing OpenID functionality regarding discovery and exchange of keys. But as you can see, they are really complicated and, as far as I know, are not widely used.

Given the mentioned complexity, I am suspecting that Forgejo does not implement the requirements. In addition, I also suspect the reason the Forgejo demo server and Codeberg do not expose the OpenID tab is because to use it requires setting up certificates exchanged between these services and the OpenID Connect provider before it will work (unless implementing the above three items).

I think this is what caesar is talking about with respect to silos. The difficulty with setting up additional OpenID Connect providers makes it impossible for everyone to just run one and have authentication automatically passed to and be trusted by it. So, instead a small subset of providers are selected, the service you wish to log in to sets up connections to those providers once, and that is all you are allowed to use.

Where IndieAuth differs is that it is extremely easy to set up on a webmaster's web site. It provides only one ID. So instead of having a few providers providing thousands of IDs, you have thousands of providers providing one ID.

Here is some more information I have found at [SimpleID](https://github.com/simpleid/simpleid/issues/17). This is an OpenID (Connect) provider. It is much more complex to install, and I am not sure my web server has the required software to support it. > Comment from: @strk > Date: Apr 06 2016 > > Wow now this sounds like a big step backward for federated identities :( > Is there anything a client could do to somehow automate the exchange of cryptographic keys ? > I think I've read something about "providers discovery" in the specs ? > > Comment from: @kelvinmo > Date: Apr 06 2016 > > "Federated" now means federated among big entities, I'm afraid. > > There is. The combination of webfinger (https://tools.ietf.org/html/rfc7033), OpenID Connect Discovery (http://openid.net/specs/openid-connect-discovery-1_0.html) and OpenID Connect Dynamic Registration (http://openid.net/specs/openid-connect-registration-1_0.html) will replicate the existing OpenID functionality regarding discovery and exchange of keys. But as you can see, they are really complicated and, as far as I know, are not widely used. Given the mentioned complexity, I am suspecting that Forgejo does not implement the requirements. In addition, I also suspect the reason the Forgejo demo server and Codeberg do not expose the OpenID tab is because to use it requires setting up certificates exchanged between these services and the OpenID Connect provider before it will work (unless implementing the above three items). I think this is what caesar is talking about with respect to silos. The difficulty with setting up additional OpenID Connect providers makes it impossible for everyone to just run one and have authentication automatically passed to and be trusted by it. So, instead a small subset of providers are selected, the service you wish to log in to sets up connections to those providers once, and that is all you are allowed to use. Where IndieAuth differs is that it is extremely easy to set up on a webmaster's web site. It provides only one ID. So instead of having a few providers providing thousands of IDs, you have thousands of providers providing one ID.

Gusted

2023-11-02 22:53:18 +01:00

yorum yaptı

Sahibi

So first of all, Codeberg doesn't have it enabled as it also comes with responsibility to have it tested first and be able to handle it at scale (as well to not allow a new attack vector for spammers), it has been discussed. As for why Forgejo's demo server doesn't have it enabled, it's not a feature enabled by default and nobody asked for it to be enabled so far.

There's a lot of information now in this thread that's bit too much for someone that isn't really close with OpenID specification and how it's implementation in Forgejo, so I guess this is great for UX research to understand this @dachary

So first of all, Codeberg doesn't have it enabled as it also comes with responsibility to have it tested first and be able to handle it at scale (as well to not allow a new attack vector for spammers), [it has been discussed](https://codeberg.org/Codeberg/Community/issues/142). As for why Forgejo's demo server doesn't have it enabled, it's not a feature enabled by default and nobody asked for it to be enabled *so far*. There's a lot of information now in this thread that's bit too much for someone that isn't really close with OpenID specification and how it's implementation in Forgejo, so I guess this is great for UX research to understand this @dachary

fnetX

2024-09-19 13:24:57 +02:00

yorum yaptı

Sahibi

There is no evidence that users need this feature; after all IndieAuth is quite niche. However, I think this is a case where we need to decide what we want to promote to users. Anyone interested in this is probably welcome to pick this up. But I doubt that Forgejo contributors will get to doing the work.

fnetX

Gain

Undefined

etiketini

2025-01-24 03:50:41 +01:00

ekledi

fnetX

User research - Config (instance)

ekleme ve

kaldırma işlemlerini

2025-06-07 12:49:15 +02:00

yaptı

fnetX

2025-06-07 12:49:45 +02:00

yorum yaptı

Sahibi

I'm closing this issue, because it has been labelled with Gain/Undefined for a while. If you want to revive the discussion, please help us understand how this affects more users, or by finding a solution that solves other problems as well.

fnetX

2025-06-07 12:49:51 +02:00

konusunu kapattı

Bu konuşmaya katılmak için oturum aç.