Hello,
I know syncthing has some options for authentication but I think one important one is missing: OpenID Connect.
I am working with syncthing in a team and would like to use OpenID Connect to allow access to Syncthing.
I am somewhat familiar with how the protocol works and I am also considering providing an implementation - but I have almost 0 go knowledge and little time to learn it.
Here is how I see it from a functionality point of view:
My primary OpenID Connect implementations are (in order) Keycloak, Azure AD, Github
Setup Auth:
- Admin will register an OpenID Connect application - public client or private client ?! (probably public for the Syncthing web UI)
- Admin will configure Syncthing to trust JWT tokens issued by the IdP
- JWT token could contain groups that Syncthing can make use of in case Authorization / permissions are implemented. As a bare minimum, Syncthing should allow access only to members of a group
Use:
- User will access Syncthing UI using browser
- Syncthing will redirect browser to IdP for auth
- IdP will redirect browser back with signed JWT token
- Browser will send token with every request to Syncthing
- Syncthing will make authentication / authorization requests based on signed token
The Syncthing authentication could work using multiple authentication engines. The first one that returns true should win. This way Syncthing could be setup with:
- plain user/pass credentials
- LDAP
- OpenIdConnect
WDYT?
Eugen
2 posts - 2 participants