wip: docs(sso): plan to route all beefcake web apps through kanidm SSO #680
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "sec-sso-plan"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What
A design/plan doc (
lib/doc/sso-plan.md) for the security-audit SSO workstream. Doc only — no runtime changes, no nix code.Deliverables
music-assistant.h.lyte.dev— zero auth on an admin/API surface.git.lyte.dev— kanidm client exists but the OIDC source is configured by hand in Forgejo's admin UI, not in nix.files.lyte.dev/tasks.h.lyte.dev— public; intent needs confirming.kanidm-oauth2-secretsfetcher flow (finish forgejo; add audiobookshelf, paperless).forward_auth→ a sharedoauth2-proxy(itself a kanidm OIDC client), for apps with no OIDC — kanidm has no forward-auth endpoint. Chosen over Authelia / caddy-security and justified; slots into the same20-oauth2.hjson+ secret-fetcher flow. Module shape + per-app opt-in sketched and option names verified against this flake'sservices.oauth2-proxy(7.15.3).host-beefcake∈idm_oauth2_admins): documents that this is create/modify over all OAuth2 clients (SSO-wide-rewrite blast radius, not just read), that kanidm exposes no read-only-secret role, and lists mitigations (dedicatedoauth-secret-readeraccount, token custody + rotation runbook, a custom-ACP hardening spike).Reference implementation
music-assistant behind the shared gate is fully specified but intentionally not shipped enabled — a working deploy needs a sops cookie secret (only Daniel can encrypt) + a live
sso-gateclient bootstrap, and can't be live-verified read-only. Shipping a half-bootstrapped oauth2-proxy would violate verify-before-merge / don't-deploy, so it's delivered as ready-to-enable code in the doc and a focused follow-up PR. Keeps this PR to one thing.Review asks
files.lyte.dev/tasks.h.lyte.devintent, and leaving atuin/home-assistant on their own auth).🤖 Generated with Claude Code
docs(sso): plan to route all beefcake web apps through kanidm SSOto wip: docs(sso): plan to route all beefcake web apps through kanidm SSOView command line instructions
Checkout
From your project repository, check out a new branch and test the changes.