this post was submitted on 18 Apr 2024
33 points (83.7% liked)

Selfhosted

40341 readers
888 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi, recently I started using authelia, and can't understand how I need to use it, and how do I share it with others

Before I had bitwarden, kept all my passwords there, and used the passwords to login to every service. Also in every service I had 2FA and/or FIDO.

But now I have authelia, and I'm trying to understand where should be the main password, and what services do I bypass, and etc

And the most important, how do I explain people how to use it, do I create them authelia credentials and send, or how?

Thank you

top 21 comments
sorted by: hot top controversial new old
[–] [email protected] 19 points 7 months ago (2 children)

Holy XY.

Why are you doing this? What are you trying to achieve?

[–] [email protected] 23 points 7 months ago (1 children)
[–] [email protected] 5 points 7 months ago

Thank you for this! TIL

[–] madejackson 11 points 7 months ago (1 children)

Authelia is an authentification provider. So you can have a single login for all your services. It can provide autorisation and authentification with a single unified login.

Bitwarden is much "simpler", in it's just a passwordmanager. As soon as you start sharing passwords, like you do in bitwarden, you lose the authentification part, even worse, you lose control over the shared login. Anyone with autorisation can "steal" the login as in unauthorized copying/distributing the password or even changing the password alltogether.

With an sso like authelia you can mitigate such attack vectors.

[–] [email protected] -2 points 7 months ago

I didn't get it 😅

I see a big problem in every approach, probably because I don't understand something

When i'm using just bitwarden, all my passwords for every service are different, but the ui is opened for anyone to see

When I use authelia without oidc I add complexity of using the services, and probably two passwords to type manually, or a locked down system(which is cool)

And if I use authelia with oidc, it means I have only one password for all of the services (manual, or in bitwarden (which has its own manual password))

[–] ad_on_is 7 points 7 months ago

Authelia is meant to be an SSO (like Google). In order to use it, you have to create users (and passwords) within the authelia yaml file, or connect it to light-ldap and do it via ldaps web gui.

You probably have other services running, i.e. immich, etc. These can be configured to use auhelias OIDC to authenticate the user against. you'd still need to create the users within the service, since I doubt they get auto-created.

Now, you can decide for yourself, whether to put your bitwarden behind authelia or not, and I'm not sure how the mobile apps work in this sense, if at all.

If you decide to do so, you just give your users their authelia/lightldap creds, if not, you additionally have to give them their bitwarden creds.

[–] brewery 4 points 7 months ago (1 children)

I use authentik but believe it's similar. You can create accounts for people and give them passwords, or send a welcome email asking them to register to create one. I would warn you though, not every service has the ability to use it and it does take quite some effort to get it working! It's interesting to learn about though

[–] [email protected] -2 points 7 months ago (1 children)

There's no registration in authelia I believe 🥲

And my problem is, like, should authelia password be manually typed, if not, where do the people store the password if they don't have bitwarden yet

[–] [email protected] 1 points 7 months ago (1 children)

If you are looking for user management and registration, then Authelia is the wrong software for you.

Authelia is a very light weight security layer (and more recently SSO) that is only meant for few users precisely because it doesn't have an onboarding process, dynamic access control, and more advanced features. Everything is done through config files and secrets. The admin has to manually create a file or plaintext lines with the user and password for each new user and restart the container.

Authentik is what you want if you want a bunch of users and new user sign up.

As for bitwarden/SSO, they should be fully separate. Otherwise you will likely break Bitwarden app and browser integration functionality.

You also do not want to run into the case where you don't know your SSO password so you can't get into bitwarden to find the password and you are screwed.

Bitwarden, TOTP method, and SSO should ideally be separate and you should be able to access your passwords and TOTP without requiring any password that is exclusively in the Bitwarden database.

[–] [email protected] -1 points 7 months ago* (last edited 7 months ago) (1 children)

There's actually a point of doing that, it's called lock down, but how to explain users how to do this 😆

For bitwarden functionality there are bypass rules on just a nginx location, or network somebody is reaching through

In general the situation reminds me using selfhosted email as a contact email for that hosting 😁 but I think in this case it's less risk because I control the data

Edit: and I'm not really looking for user management, I just want to know how to use authelia efficiently

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
SSO Single Sign-On
nginx Popular HTTP server

2 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.

[Thread #689 for this sub, first seen 19th Apr 2024, 06:35] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago) (1 children)

Most things should be behind Authelia. It's hard to know how to help without knowing what exactly you're doing with it but generally speaking Authelia means you can have SSO+2FA for every app, even apps that don't provide it by default.

It also means that if you have users, you don't need them to store a bunch of passwords.

One big thing to keep in mind is that anything with its own login system may be more involved to get working behind Authelia, like Nextcloud.

[–] madejackson 3 points 7 months ago (1 children)

Quick heads up, Nextcloud works perfectly fine behind an auth provider. I am using it behind authentik.

[–] [email protected] 1 points 7 months ago (1 children)

I had issues connecting to Nextcloud from mobile clients when using Authelia, they didn't like it, but if there's a workaround for that that's great

[–] [email protected] 1 points 7 months ago (1 children)

You need to use authelia's oidc, and your nextcloud app will be able to store this session for everything it needs

[–] [email protected] 2 points 7 months ago (1 children)

Goes to show I don't know much about SSO I suppose. Time to do some more research

[–] [email protected] -1 points 7 months ago

🤝

Also, it's common practice to do rules, so ask 2fa on myserver.host, but don't ask anything on myserver.host/api