Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

SSO is really important in the "few tools, many users" case, but just as important in the "many tools, few users" case. I'm self hosting dozens of tools, and without SSO I'd have to set up username, password, TOTP and WebAuthn for each and every one of them, my 2FA app would be 90% my own services.

With SSO though, it's much simpler. I can just run an OIDC server and log into all my self-hosted services once, and I can use all of them. Vaultwarden is an exception to the rule though, as you can't really bootstrap that in the individual case.

Another use case I'm currently exploring is for sharing netflix/prime/disney+ passwords with roommates, partners and friends. They just sign in with their Google/Apple/whatever account and get access to the shared streaming provider passwords.



What's your (OSS?) OIDC server of choice?

Authelia? Authentik? Keycloak? (These are the three I see a lot about.) Something else?


Pocket ID[1] is what I use, and I cannot recommend it enough. It's an incredible project.

[1] https://pocket-id.org


Love pocket-id. Do you use oauth2-proxy with it? How did you set up oauth2-proxy to work with multiple apps?


I used to use oauth2-proxy with PocketID, but migrated to caddy-security for stuff that doesn't directly support OIDC as part of a general move to Caddy. It's nice not needing the sidecar container, though the docs for caddy-security are a bit confusing and I still find Caddy's whole approach to plugins a bit... odd. It does give you quite a lot of flexibility once you figure it out, and I think it was worthwhile after the initial learning period.


I've dabbled in oauth2-proxy but I'm not running it currently. I recall my goto was launching one instance per remote i want to target.


Yeah that's hard to scale when you have lots of services. For now, I am running multiple instances of oauth2-proxy instances and assigning user groups in pocket-id. How do you deal with apps not having native OIDC support?


Adding another +1 to Pocket ID. I looked at a couple of the ones you mentioned but they looked too heavy and complex for what I wanted. Pocket ID does one thing and does it well.


I've used Authelia for a few years and it's great. It does exactly what I need/want. Not more, not less. It's also never failed me.


For self hosting, PocketID is about as easy to set up and maintain as it gets.


I use Authelia backed by lldap. Really like it so far


Can recommend Kanidm


Kanidm made some weird decision that ruled it out in one of big organisation I try to deploy it. Separate Radius password. For telco that’s half its use cases, and there is separate random password. Whole Network engineering department was like WTF ? You can’t have single password which is one of important reasons to have SSOA.


Mine is zitadel




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: