Use Pangolin as an Auth provider?

[r3nor]

I'd be happy if I could use the pangolin auth system as an OAuth provider for my services, this way I could just have one auth provider for everything :) is this possible?

[oschwartz10612]

I have moved this to a discussion to keep track of the feature requests here.

Yes I think this will be on our roadmap at some point soon but it is not possible right now.

[fr34kyn01535]

Pangolin shouldn't do that, there is alternatives for that, see Keycloak or Logto.io

[r3nor]

I know, I personally use Authelia for this purpose. But I do think it would be useful since, otherwise, the auth feature that pangolin has does not make much sense. I have to disable it everywhere, since, for example, for API calls or mobile apps that need to connect to my services it acts as a wall. For example, to use with Immich or Nextcloud.

If it offered the OAuth provider, Immich and Nextcloud could just authenticate via Pangolin instead of Authelia...

Another good option would be that Pangolin allowed using 3rd party Auth providers, such as Authelia or Keycloak.

[ruohki]

Id just like to be able to use one solution for this instead of patchwork. Id like to either hook up pangolin to my existing auth or replace my existing auth solution with pangolin.

[radh21301]

@r3nor I have been wondering about how to get things working with mobile apps, particularly immich. The thing is, with pangolin auth enabled, we cannot even reach the immich page where we click on 'sign into immich with oauth' or something. Then I wonder, how would having pangolin as an oauth provider work?

[miloschwartz]

@radh21301 Yes it would. In the mean time you could either disable Pangolin auth or set Immich proxy headers. You can get the access tokens for the headers by generating a share link.

[wjbeckett]

I'd love this feature. Being able to use Pagnolin as the OAuth provider would tie the SSO integration a little closer as mentioned above. I have to disable Pangolin auth for most services like Immich/Nextcloud, etc but if Pangolin WAS the auth provider too then this could be a lot more seamless.

[Re4mstr]

This would be amazing, I have no issues using authentik, but this would greatly simplify my stacks. It's the only feature I miss, after using it for a couple of days, replacing both authentik and npm.

[cantchooseaname8]

Agree, this would be absolutely great. I ditched npm/authentik and moved fully to pangolin. I was using authentik with oidc for several sevices. Now I'm having to log into pangolin and then log into each service again. Not a big deal for now, but adding this into pangolin will streamline everything much better and reduce the need for running another service just for this purpose. It will also actually make use of pangolin's sso since now it's somewhat pointless if we would have to disable it everywhere and use another idp to handle it instead.

[shaftspanner]

I'm after a simple SSO solution. There are some apps I use (e.g. Sonarr) where I'm quite happy to disable the built in security and rely on tunneling through Pangolin and the Pangolin login. There are other, more sensitive apps I use (immich / paperlessNGX) where I don't want them anywhere near the internet unless I'm confident of the security. These more sensitive apps are capable of using OAuth, so this is my upvote for that simple solution.
Personally, I'd rather use Pangolin as an all-in-one solution rather than having to setup Authentik / Authelia as well

[woutervanelten]

my up-vote for Pangolin as SSO/Auth provider!

[sgayda2]

Is it possible to use an external provider like authentik for pangolin itself and then pass that auth down to the hidden service? Having authentik hosted behind the tunnel as well? Or would something akin to a plugin within pangolin be a better model for this? I agree with folks here that having a single sign on for all the services is better, and i also agree that forcing pangolin to build out every feature that someone might want in their auth provider may be too much. So a middle ground might be as i was describing above, external auth for both pangloin and other services, hosted all within the private network?

Sorry if this does not make sense, i am still learning how all this stuff works

[fschrempf]

To me it does make sense. I'm already running Keycloak as an IdP for some services like OpenCloud or Immich. I would really like to see Pangolin using that IdP as authentication backend via OIDC.

Making Pangolin itself an IdP could lead to reinventing the wheel and doing authentication right is tough. Better leave that task to those who already know how to do it like Keycloak, Authelia, Authentik, etc.. Running a separate IdP service alongside Pangolin is not that hard and a lot of services already have documentation and examples for those IdPs which makes it much easier to set up.

[fschrempf]

Oops, just found out that my Pangolin version was too old and this feature is already available. ;)

[chiqors]

This is amazing idea! I don't mind if i repalce my zitadel IdP for this! This will be much simpler than hosting another IdP solution, I don't care even if this just basic, as long as it has oauth 2.0 with code/pkce

[StefanSa]

Yes, that would be a really important addition and would enhance Pangolin even more.