Single Sign On support

[osresearch]

For self-hosted communities it would be nice to be able to have the users automatically logged in via a single sign-on system like Keycloak (using OAuth2 / OIDC), rather than sending email with a login link. The user's email address and name can be created automatically on first login, allowing users in the community to create polls without having to go through other steps to register.

HedgeDoc is another typescript tool that integrates OAuth2 users via nestjs/passport and might be a good example of how to integrate the login / auth flow to rally.

[Coo-ops]

Will hijack because it relates to authentication.

I want the landing page disabled outright, the "demo" link shouldn't even be there.
We need the ability to disable login.
Its unacceptable that just anyone can sign up at any given time, thus risking my email server ending up blacklisted.
I don't actually even want emails at all, maybe theres a way to set up an account via the database?

[Coo-ops]

Is there a way to call for a magic link without having to email it?

[IamTaoChen]

I'm excited about using OIDC, too. OIDC is very convenient.

[jirutka]

I’ve looked into this and it will basically require replacing the whole authentication layer. It’s now quite custom, built on iron-session. I’m thinking about replacing it with NextAuth.

@lukevella, are you interested in this feature? Is it something you plan to do in the future and/or will you accept a pull request from the community implementing this change?

[lukevella]

I do plan on switching to next-auth. I went with iron-session at the time because it seemed like a simpler approach and I could use it for authenticating all sorts of requests not just login. I’m not sure how to handle guest users with next-auth, haven’t looked into it but that’s an important piece of the puzzle.

I’ve had submissions for this already, but I don’t have the bandwidth right now to properly review and complete such a large and critical change.

Working on releasing v3 right now so this will have to sit on the back log for a while longer.

[jirutka]

Thanks for the quick reply!

[PetitMote]

Hello there,
Thank you for OIDC support (although, I can’t get it to work for now, that may only be due to the yunohost install).

I was wondering, would you be interested in LDAP and HTTP Basic Auth ? It’s the SSO used by Yunohost, and it would allow to be connected without even seeing the login page. Might be a lot of work, I don’t know. Apparently, Next Auth supports at least LDAP.

[ThisIsMissEm]

So the migration to NextAuth / Auth.js seems to now be complete, however, there's still no option to disable sign-in with email, nor is there a way to do any form of RBAC / Access control, which is important given the licensing of rallly being limited to a given number of users.

[osresearch]

Thanks for adding OIDC support! I've enabled it with our keycloak install and it seems to be working.

For folks who are wondering what to set in the config.env, this is what is working for me:

OIDC_ISSUER_URL=https://login.example.com/realms/our-realm-name
OIDC_DISCOVERY_URL=https://login.example.com/realms/our-realm-name/.well-known/openid-configuration
OIDC_CLIENT_ID=events
OIDC_CLIENT_SECRET=super-secret-value

Is there a way to turn off all email registration since we only want users to authenticate via OIDC?

[osresearch]

I see that disable registration was added in #1759