Feature Request: Add OIDC authentication #1689
Comments
|
Thanks for this. Let's implement after the imminent release, 2.1 |
|
Is this a highly requested feature for a self hosted application? This would make sense in a SaaS context, I have a feeling 2FA would just annoy a lot of users running Checkmate on their local network. If we did implement it I think it would be a good idea to make it opt in rather than enabled by default. 2FA really annoys me when I don't need it. |
|
@ajhollid Well yeah i'd make it all optional too :) And the project is imho very attractive for larger, non-homelab installations as well, which would make this good feature to have :) i've noticed that many for-profit saas companies only enable features like OAuth in the most expensive tiers, so it's such a highly reqested feature that saas customer-companies are willing to pay extra fot it :) (Example https://slack.com/intl/en-gb/pricing or https://miro.com/pricing/ etc.) |
|
Agreed. Unless we enable this by default, we are good to go here. |
Tell me 3 more features you'd like to see which will make Checkmate suitable for larger installations :) |
|
I mean its nice as it is :) But if there were unlimited development resources ^^:
I could go on :) :D But no worries, its a nice piece of software :) BTW the infrastructure collector agent installation could be a bit easier, e.g. you have to memorize that you have to add /api/v1/metrics in the URL field (which is by default http(?). You could also think about a scenario where you cant open a port on a node but let the agents open a connection to the Checkmate app to report (see Portainer) [1] |
|
Thanks for those. My comments.
Good point. Can you add an issue for this so we can track it? |
I meant the Disk "utilization" (vs. Disk capacity left). Recently, I had the issue that an HDD was constantly at 100% "utilization". As I later found out, it was caused by the Coolify Sentinel, which was writing continuously. This was hard to notice, the system was just slow and i didn't knew why, until i saw the 100% value in htop. |
OK, I assume you are talking about this area right? 
We have the total disk and utilized disk. I have been talking to @mertssmnoglu about adding all the disks found and not only the root disk, so they can appear here. |
|
@gorkem-bwl Thanks, but these are just ideas—I don't know if other people feel these things are needed too. :D And no, I don't mean this graph; it's very useful and should stay. I had this problem: 
(Explanation for the graph: Because it's a software RAID mirror, when it's utilized at 50%, it's actually utilized at 100%.)
Here is another graph: 
You can clearly see when I fixed my issue. :) Since it's an HDD (instead of an SSD, because it's a storage server), they are prone to being fully utilized, which causes a HUGE slowdown.
I hope I explained the difference well enough. :) I'm not really sure which exact metric is the most informative. For example, my Netdata (the graphs above are from Netdata as well) alerted me about the "Disk Backlog [time]" on my disks, basically saying that it took 10 seconds(!) to process a write request. One has to analyze which value, and where to get it from, to determine the most meaningful metric. That said, I think this metric is not that important for most people because the problem is almost non-existent on SSDs. :) |
Is your feature request related to a problem? Please describe.
Currently, there is no 2nd factor for authentication, which makes ones setup of Checkmate vulnerable to bruteforce attacks, especially when using a bad or reused password.
It would be sensible and/or appreciated to also implement a 2nd factor for email/password authentication and/or Passkeys but from my expierience its asier to just allow OpenID Connect first. Most IDPs have these of security features already implemented.
Describe the solution you'd like
Implement an additional login/signup method with an arbitrary OIDC identity provider (like Authentic, Keycloak, Azure, etc) to handle the complete authentication. Securitywise it would be good to be able to disable email + password authentication (because of the mentioned possible security implications of password auth above) if you chose to use an external IDP.
In a later expansion you could also add authorization features OICD provices (e.g. Team selection).
Describe alternatives you've considered
You could follow many sites by adding support for specific OAuth Providers (most of them are also just OICD) like "Log in with..." Google, Apple, Azure, Meta, Github, etc.
Because an generic OICD implemtation would cover most IDPs, I'd suggest starting with the generic alterative. Additionally you can Imagine that these "free" IDPs do collect user data, so it's a questionable alternative, though easier to configure for the enduser. ManyM sites allowing login through social media providers also allow generic OICD.
Implement a 2nd factor inside your app yourself, preferably with google authenticator (free for you and the user), which many password managers are able to fill in automatically.
Additional context
This proposal because stems from a question in your Discord :) @gorkem-bwl
The text was updated successfully, but these errors were encountered: