[Feature Request] Support for SSO #177
Comments
LeoKlaus
added
enhancement
|
Hey Filip, Can you add some detail to how authentication works in your case? AFAIK, there's no official support for SSO with Paperless, so there's not the "one" way in which SSO would work. Different users will have different setups, even using different proxies, so I don't think there's a way to reliably determine the SSO configuration. A button "Log in with identity provider" is probably not going to work. Paperparrot already offers to add additional headers with each request. You might be able to use these to authenticate with your proxy. |
|
Hey Leo - thanks for quick response!
I guess that there are many services on the market - the question is whether we are able to adapt in some simple way to the existence of such a way of logging, without the need for various additional headers. I noticed, of course, a rather interesting problem when discussing contributors to the implementation of oAuth2 - and currently the lack of support for it. |
|
I using Oauth2-proxy instead of Authentik on my setup before paperless-ngx. At this point, paperparrot no longer works with it. I found the app Less Paper in the App Store and it seems to at least get the redirect to Google and then display an additional web window where the OAuth2 proxy flow is displayed. Unfortunately, I haven't gotten any further yet, as my configuration of the OAuth2 proxy is still fresh and Google doesn't yet know my redirect uri. However, I would then assume that the session cookie, which oauth2-proxy would also store in the browser, would be made known to the app and thus the Oauth2-proxy would be skipped and normal authentication with Paperless would work. I can send you a corresponding screencast by e-mail. The feature is also important for me because I want to connect Paperparrot to a publicly accessible Paperless instance. However, this should at least be secured via 2FA. Paperless does not offer this function, so I always use OAuth2-proxy for this. And the previous speaker certainly has the same motivation and therefore uses Authentik. |
|
Hey Leo, I have send you a screencast with a working login in "Less Paper". I assume now the web session cookie is stored internally in the application and the "normal" paperless authentication workflow is working. This would be a great improvement aka feature request and I would heavily vote for it :-) |
|
I totally get why this is important, but I don't know how to implement this. Different auth proxies will behave very differently in regards to authentication. Using cookies for auth is very tricky, as those usually are rather short-lived compared to something like an auth token. You should be able to access an instance behind Authentik and other proxies by authenticating with them via headers. I can't help you with this though. @JimTim where did you send the screencast? |
LeoKlaus
changed the title
|
Nevermind, I have now send you the screencast to contact@paperparrot.me. Please use this video privately :-) |
Thanks, I've already deleted the mail ;) I'll see what I can do. Might take I while though, I'm due for exams in the next couple of weeks. |
|
Maybe you could reach out the developer behind Less Paper. I have found a discussion which references Less Paper and his developer paperless-ngx/paperless-ngx#4553 |
|
These are my cookies after login. I will test Less Paper after 17.01.2024 and will inform you, if I have to login again. |
|
Would also highly appreciate SSO capabilities / support for forward-auth :). |
|
Hello I noticed that for the upcoming release there is an implementation of single sign-on OIDC - so will it be possible to count on (after the documentation is published and implemented for use) to adapt this in the application? |
Looks great. I can't promise anything but something that's properly integrated with Paperless is definitely a lot easier to work with than the multitude of possible configurations with 3rd party auth. |
|
If all goes well, for my part I can assure you of creating a tutorial for my blog on how to configure paperless to work with your application. |
|
The commit has been merged into the dev branch - paperless-ngx/paperless-ngx@c508be6 |
|
It was officially released with 2.5.0: |
I've set this up on my test instance and am seeing what I can do. I've never implemented OIDC before and it is a rather complex process. Paperparrot currently uses individual URLSessions for different requests, which will probably cause issues with the cookies needed to authenticate. |
|
@LeoKlaus Firstly, I just want to say thank you for your work! I understand this is a project you've invested yourself in, and your passion shows. Understanding this surely isnt the only demand on your time (not to mention, you owe us nothing and have already freely given us all an app which makes our lives simpler while asking nothing in return!), I just wanted to share my .02 as far as justification for this RFE, if at any point you find you've both the time and inclination to dig in to it any further: I dont want to attempt to speak too broadly for others, but for myself at least, the more time I'd invested in self hosting, the more time I spent evangelizing to my family (well, offering... in the event they were struggling with commercial options or had privacy concerns over xyz, etc) And as this all grew, it pretty quickly became apparent that at least some kind of centralized account management was a necessity. My wife and I both use all our local services, my parents and in-laws are both on the media server and use our bitwarden instance, nephews have their game server they play with, and so on... And after showing them how easy it was for me to collect my tax paperwork this year, now my parents have bit the bullet and bought a dedicated scanner to start feeding Paperless as well. I use Authentik, but nearly all (maybe "actually all", but that seems over-broad lol) SSO providers support OIDC, so implementing support for it would make this app compatible with a myriad of auth providers. Of course theres the additional benefit of fully supporting current deployments, regardless of config - as long as the server supports (x), so does PaperParrot 🥳 Regardless of if/when you decide to take this on, you've already built a stellar application, one that anyone would be proud to show in their portfolio. Hope the exams went well!! |
|
Hey @LeoKlaus as you also implemented OIDC Login on your other application Plappa would it be possible to port this feature over to paperparrot? |
It doesn't. I've tried. I'm assuming that the OIDC implementation in Paperless only allows for callbacks to the instance URL, but I haven't checked that yet. If you find any documentation on the OIDC process in Paperless, I'd happily try my hand. |
|
I did search for a while but did not find anything useful... As paperless runs on django in the backend I also found this issue, maybe that could be a hint for you to find out how this system works? |
|
For anyone using the proxy provider in Authentik you can get this working by configuring "Unauthenticated Paths" in Authentik to allow 
You can then authenticate to Paperless with Paperparrot using the password for the user. You can set the password by logging into the web UI via SSO and setting a password in "My Profile" (upper right menu). |
|
Thank you for the suggestion @joestump! This should work for all proxy providers, Paperparrot exclusively queries the /api/ path. |
|
Looking as well on this feature. I need to create a secondary user just for application |
|
I would also be interested into the implementation of OIDC into paperparrot. I use Keycloak to authenticate my users. I dont use the proxy provider integration because it comes with some caveats I dont have if I use natively implemented oidc. One tip for the other guys here: You can go to the django administration and create a token for your users. Afterwards they can login in the app via token login! I think thats a nice workaround while the sso login isnt implemented! |
|
Thank you for your input @Atomique, the issue I'm facing with third party SSO-providers is that the implementation for the login can differ and I don't think there is one provider that is used by the majority of self-hosters. The token is also visible to users in the WebUI of Paperless, just click on your name in the top right and then "My profile". |
Describe the bug
The application does not allow you to log in to the Paperless server using the Authentik single sign-on system.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Environment(please complete the following information):
Additional context
is there any possibility or opportunity to change this issue to a feature so that there is a possibility to use it together with SSO?
The text was updated successfully, but these errors were encountered: