lastlogin-io / obligator Goto Github PK

pull access denied for anderspitman/obligator, repository does not exist or may require 'docker login'

Now that we're storing everything in JWTs, state isn't really doing anything, and it's optional https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1

Hi,
I am trying to use this for Hedgedoc (v1) and there is seemingly no way to change your username. Therefore it would be nice for the /userinfo endpoint to provide one, as described in the openid docs.

Thanks for the great work,
Julian

I just followed the instructions at the Demo section to try the obligator instance running at lastlogin.io using my email address. After a little while I recieved the email and clicked on the link but then it goes to lastlogin.io/magic?key...... and the error message "Invalid magic link" is displayed. Hower the URL seems to be fine having a key and an instance_id.

Users need to be able to delete old identities and login history as desired

Should be safe as long as we don't have an open redirector

By far the project most similar to obligator that I've found

Just need to return the requester's domain as the client_id and don't need to store anything

I have not done much digging into this project yet, but a suggestion I have after reading the readme file is in response to the blurb about sending a unique code to the email. The suggestion is to add a registration flow to confirm ownership of the email like you already are but then also allow linking that email to a FIDO2 token registration via webauthn, which is what passkeys use.

I suggest this because I use a variety of webauthn devices all the time now and I think that method of authenticating is much much better than passwords and is more convenient than clicking on a link sent to your email in my opinion. There are authenticator smartcards (my preference), USB tokens like yubikeys and the opensource derivatives, and of course now google and apple passkeys supported by the trusted platform modules or HSMs on the new phones.

Currently I am using Authentik to protect my apps. It is too slow and I would like to use Obligator instead. As I understand it, forward auth is the needed feature for this kind of stuff. But I can't wrap my head around what settings I need to specify in my reverse proxy.

I'm using Authentik with Caddy and this setup: https://docs.goauthentik.io/docs/providers/proxy/server_caddy

This way, when someone tries to access an app, he is first redirected to an outpost, where he must login.

Please let me know if this is possible to do with Obligator

• Redirect to original instance when clustered
• Expire codes after a brief time

Hi there,

I'm the developer of Kanidm, I wanted to update some of your line items in the readme.

• Simple - This is subjective, but most of our users would say "yes" to this compared to keycloak or oauth2-proxy.
• Anonymous - No
• Multi-domain - No
• Email Login - No
• HTTP API - Yes
• Forward Auth - No (last we looked, it's insecure)
• Header Auth - Yes
• OIDC - Yes, we are a full OIDC server
• SAML - No
• MFA - Yes, including passkeys and attested passkeys
• Rev Proxy - No
• Admin GUI - No
• Client Registration - No
• Passkeys - Yes
• Attested Passkeys - Yes, we are the only IDP that supports these today

We also have active-active replication so we support HA

Actually testing your interesting software 👍

At the moment it is not possible to use SMTP endpoints which require SSL/TLS encryption for sending mails (e.g. smtp.office365.com) with the docker image. Checked the code and in the struct there are no params for this use case.

It would be nice if this is possible.

Don't see a good reason not to, and it offers some defense in depth. At least random apps on the user's machine won't be able to snoop all their logins

It is a pretty important feature for many within the auth / identity space. The only modern provider that seems to have support and documentation for "impersonation" is GoAuthentik - but I've not run through your full comparison table yet. Is that a feature you wouldn't mind adding to your comparison table?
Thanks!

https://github.com/DuendeSoftware/IdentityServer

Currently the API is only offered through unix sockets. This reduces the chance that it accidentally gets exposed, which is important because it's not authenticated in any way.

Would you be open to embedding zero trust directly into the project via OpenZiti? OpenZiti allows you to have secure connectivity to the server from anywhere, via a zero trust overlay.

If that sounds interesting, I'd be happy to contribute a patch and if you're into it, demo it over on our YouTube channel too?

Currently using obligator_ as a prefix for all cookies. This should be controllable by the user as it is for the login key cookie