mirror of
https://github.com/fosrl/pangolin.git
synced 2026-05-20 08:51:16 -05:00
OAuth/OIDC SSO Replacement (Authelia, Authentik, etc.) #150
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/pangolin#150
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @miloschwartz on GitHub (Mar 16, 2025).
Originally assigned to: @miloschwartz on GitHub.
Discussed in https://github.com/orgs/fosrl/discussions/119
Originally posted by niffelheimba January 30, 2025
In lieu of using the built-in authentication/SSO service, allow for third-party integrations to replace both the authentication for Pangolin itself and the services it is proxying for (forward proxy/authentication for services that don't support SSO internally).
Personally, and seemingly for other users on Reddit, this would be the biggest feature to allow me to fully integrate into Pangolin. Nginx Proxy Manager is not well supported and is one of the most popular applications without an SSO integration. Though obviously this is primarily meant (at least currently) as a cloudflare tunnel replacement, this would make for an awesome all-in-one solution.
@miloschwartz commented on GitHub (Mar 17, 2025):
Note for later to revisit: #351
@adrianipopescu commented on GitHub (Mar 20, 2025):
If this can run with pocket-id and tinyauth it'd be the simplest to configure zero trust tunneling system, while still keeping a unified experience on and offsite.
@TheLinuxGuy commented on GitHub (Mar 24, 2025):
I would love it if Authentik could be used.
@gigaion commented on GitHub (Mar 25, 2025):
Keycloak would be awsome as well. Looking forward to this!
@HRNasr commented on GitHub (Mar 25, 2025):
Casdoor would be awsome as well
@michelkroon commented on GitHub (Mar 25, 2025):
Would love to use AzureAD with this project. OAuth or SAML is easy to setup (if you do it al lot 😄 )
@FilipeRamalho commented on GitHub (Mar 25, 2025):
Does this include https://github.com/orgs/fosrl/discussions/21?
Or are you just going to make it possible to replace the built-in solution with an external OIDC provider for now?
@miloschwartz commented on GitHub (Mar 26, 2025):
@FilipeRamalho I think first step is going to be using another provider to replace the built in
@nikolaishields commented on GitHub (Mar 30, 2025):
Bumping this! Very excited and would love to use this with existing auth systems.
@blechinger commented on GitHub (Apr 1, 2025):
This is a killer feature and I'm stoked to see it in the Short Term swimlane. As-is I'd have to choose between simplifying access control and tunneling with Pangolin (which I'd very much like to do) or retaining existing robust identity management and SSO integrations (which is necessary for my use case). Options for integrating Pangolin with IAM solutions will allow a separation of concerns without adding tons of administrative overhead or scope bloat and enables a much wider range of practical applications.
@orhanveli commented on GitHub (Apr 3, 2025):
With this feature, Pangolin will become "the solution" that I'm looking for :) I think it's time to buy a licence, keep up the great work guys 💪🏻
@snowy-jaguar commented on GitHub (Apr 3, 2025):
I'd love to see this feature added. I'm probably going to roll out a Pangolin instance soon regardless but being able to tie it in to Authentik (when I've got that functionally useable) would be amazing.
@alexdelprete commented on GitHub (Apr 7, 2025):
I was keeping an eye on Pangolin, but it was missing an OIDC integration. Glad to see it is on the roadmap now.
Right now, for my homelab, I'm using Traefik with Zitadel, thanks to this great OIDC auth middleware by @sevensolutions: https://github.com/sevensolutions/traefik-oidc-auth
Supported/Unsupported providers:
@Cilenco commented on GitHub (Apr 8, 2025):
Not exactly sure how this would work, can the user management then still be done by Pangolin? Would be nice to still manage the users there but login only once to access all proxied sites (which atm might use Authentik or similar)
@adrianipopescu commented on GitHub (Apr 8, 2025):
imo we should just add traefik's oidc proxy plugin and configure that via the ui and what sites to use it or not
you can use pangolin to expose your oidc system to the net and control access and roles from it / site.
what I'd love would be able to sign in into pangolin via oidc
@miloschwartz commented on GitHub (Apr 8, 2025):
Currently the goal is to add a generic OAuth2 provider as an auth method. You would define a Pangolin user but specify the auth method as Internal or OAuth2 (aka external). You would then expose the provider UI such as Authentik using Pangolin (or other proxy; doesn't really matter). When you go to authenticate with a resource, it redirects you to the auth provider to complete the log in step and then back to the resource. So ideally you still create the user object and manage it Pangolin, we just offload the auth step to the provider. This is very similar to how other apps handle it to my knowledge, for example Portainer.
@sevensolutions commented on GitHub (Apr 8, 2025):
This is exactly how you would do it normally and what i also would suggest.
The original idea of my proxy plugin was securing apps which doesnt have their own login handling, like simple static websites.
@oidebrett commented on GitHub (Apr 8, 2025):
I am looking forward to seeing the implementation of this feature. I am hoping that this might open up the possibility of pangolin supporting the authorisation of users of MCP. Here's the draft MCP specification on authorisation flow
The agents are coming 😀 I love to help contribute on this.
@Cilenco commented on GitHub (Apr 8, 2025):
Thanks for the explanation, im still not getting it completely tho. How does the external Oauth provider know about the user resource defined in Pangolin and if the user is allowed to access to the requested resources? Wouldn't Pangolin have to act like a mini LDAP then?
@jacobalberty commented on GitHub (Apr 18, 2025):
@Cilenco pangolin would look at the subject to determine what pgl user to map to. I hope we get some auto adding user features maybe with some default permissions, mapping groups would be even better but thats a little more complex to get right
@TheLinuxGuy commented on GitHub (Apr 18, 2025):
is this FR implemented? I came across https://github.com/hhftechnology/middleware-manager which seems to do authentik integration.
@miloschwartz commented on GitHub (Apr 18, 2025):
@TheLinuxGuy That tool is a third party tool that will let you add forward auth middleware to a Traefik instance to use Authentik, but it does not integrate directly with Pangolin's auth system (aka not our upcoming first part external identity provider feature).
@miloschwartz commented on GitHub (Apr 18, 2025):
@jacobalberty There will be an auto provision feature with the ability to map the external IDP groups to Pangolin roles and organizations!
@jacobalberty commented on GitHub (Apr 18, 2025):
@miloschwartz just don't let Zitadel derail your MVP, its groups are different. I like it from an engineering perspective but no one else uses the same group type and it sucks. There is an action us Zitadel users can use to fix things as long as we can pick the claim to pull from.
@miloschwartz commented on GitHub (Apr 18, 2025):
@jacobalberty Good to know to look out for this. I've been testing with Authentik.
I took inspiration from Grafana, and current MVP allows picking from the claims using JMESPath as a selector. Therefore hopefully very flexible from a user perspective.
@jacobalberty commented on GitHub (Apr 18, 2025):
@miloschwartz excellent choice to take inspiration from Grafana. They support the nested permissions of Zitadel natively so you've got a leg up! That's more than I was hoping for!
@varialflip commented on GitHub (Apr 26, 2025):
Will OIDC IDP be a Pro licenced feature ?
@adrianipopescu commented on GitHub (Apr 26, 2025):
the project so far has been one of my few donated-to due to how little intrusiveness they have, hope that doesn't change
(but if they want a supporter subscription that's fully opt-in with just a heart being shown on the dash, I'm down)
@varialflip commented on GitHub (Apr 30, 2025):
If i understand the diffs correctly, it seems like OIDC will be behind a paywall (àla https://sso.tax/)
If so, I really hope there will be a homelab / selfhosted option for us
@TriasRichard commented on GitHub (May 2, 2025):
26e93ccac6This is in the docs:
The Supporter Program is a way to support the project and remove the
support marks. It is a one time donation. No features are unlocked.
The Professional plan is a paid license that allows you to use the
software in a commercial environment that unlocks features and
Current features that are available with the Professional license:
Pangolin will always be free and open source but some features geared more to businesses will be covered under a different license than the AGPL in order to allow us to grow Pangolin.
@adrianipopescu commented on GitHub (May 2, 2025):
automatic user importing = if a user doesn’t exist previously create it on first login?
meaning for non-commerical use, we can manually create the users and associate them with the idp?
@TriasRichard commented on GitHub (May 2, 2025):
It looks like that :
@oschwartz10612 commented on GitHub (May 2, 2025):
Release in 1.3.0!
@cirrusflyer commented on GitHub (May 2, 2025):
Am I able to install pocket-id on the same Pangolin VPS or do all resources need to reside on the internal network that's being accessed by Pangolin?
@oschwartz10612 commented on GitHub (May 2, 2025):
You can install it on the same VPS and use a local site to expose it from Pangolin!