#kanidm — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #kanidm, aggregated by home.social.
-
IMPORTANT: #Kanidm has released 1.9.4 and 1.10.2 that resolves a CRITICAL security issue. This issue allows any authenticated user to elevate privileges to idm_admin/admin. Details: https://github.com/kanidm/kanidm/security/advisories/GHSA-xxwr-vvr3-2g9f
-
On Thursday 14th of May, at 07:00 UTC (17:00 AEST, 9:00 CEST) #Kanidm will be releasing a security update containing a CRITICAL security fix. All users should be ready to upgrade!
-
@viq interesting... #KaniDM is new for me. I was thinking to deploy #authelia in my #Selfhosting environment. I'll read more about it. Thanks
-
Be me.
Make a typo `pcke` instead of `pkce` in your NixOS config for headscale.
Config does not get spellchecked, just converted to yml.
Kandidm does not reciece pkce challenge.
Fight for hours over 4 weeks to finally decide to open the generated yml.GG.
-
Be me.
Make a typo `pcke` instead of `pkce` in your NixOS config for headscale.
Config does not get spellchecked, just converted to yml.
Kandidm does not reciece pkce challenge.
Fight for hours over 4 weeks to finally decide to open the generated yml.GG.
-
Be me.
Make a typo `pcke` instead of `pkce` in your NixOS config for headscale.
Config does not get spellchecked, just converted to yml.
Kandidm does not reciece pkce challenge.
Fight for hours over 4 weeks to finally decide to open the generated yml.GG.
-
Be me.
Make a typo `pcke` instead of `pkce` in your NixOS config for headscale.
Config does not get spellchecked, just converted to yml.
Kandidm does not reciece pkce challenge.
Fight for hours over 4 weeks to finally decide to open the generated yml.GG.
-
Be me.
Make a typo `pcke` instead of `pkce` in your NixOS config for headscale.
Config does not get spellchecked, just converted to yml.
Kandidm does not reciece pkce challenge.
Fight for hours over 4 weeks to finally decide to open the generated yml.GG.
-
I proposed something for #kanidm which a reviewer described as "what if CSRF tokens but they hurt to touch"
-
Finally got Forgejo running on Kubernetes with single-sign-on based on Kanidm!
Took me one day of work, which I'm not sure if it's a good or a bad thing…
-
ClaimMaps in Kanidm on NixOS fixed.
Now paperless-ngx and wiki-js can read user groups/roles over OIDC.The trick wad to `_` instead of `-` in thr naming scheme.
-
ClaimMaps in Kanidm on NixOS fixed.
Now paperless-ngx and wiki-js can read user groups/roles over OIDC.The trick wad to `_` instead of `-` in thr naming scheme.
-
ClaimMaps in Kanidm on NixOS fixed.
Now paperless-ngx and wiki-js can read user groups/roles over OIDC.The trick wad to `_` instead of `-` in thr naming scheme.
-
ClaimMaps in Kanidm on NixOS fixed.
Now paperless-ngx and wiki-js can read user groups/roles over OIDC.The trick wad to `_` instead of `-` in thr naming scheme.
-
ClaimMaps in Kanidm on NixOS fixed.
Now paperless-ngx and wiki-js can read user groups/roles over OIDC.The trick wad to `_` instead of `-` in thr naming scheme.
-
kanidm seems to be a cool project
managed to deploy it pretty quickly and without any issues
(and also found out that i never set a pin on my yubikey in the process for firefox reasons)
-
commands for kanidm + bookstack
kanidm create group bookstack_admin
kanidm system oauth2 create-claim-map bookstack bookstack_roles bookstack_admin admin
kanidm system oauth2 update-scope-map bookstack bookstack_users email groups openid profile bookstack_roles
kanidm group add-members bookstack_admin stelb
Environment for bookstack:
OIDC_USER_TO_GROUPS=true
OIDC_GROUPS_CLAIM=bookstack_roles
OIDC_REMOVE_FROM_GROUPS=true -
I did this for bookstack with kanidm
Given the oauth2 app is 'bookstack':
map claims (roles in bookstack, say admin)
to scopes and groups in IAM, e.g. bookstack_roles and bookstack_adminadd the scope to the oauth2 application
assign users to these groups as needed.
configure app which scope to use for roles
-
Ok, first time I tried to use a custom scope to map oauth2 users to application specific roles.
Followed some sample and I just replaced names.
Working with one role.. adding another. Both roles not working anymore.
Reading more theory about scopes and claims did help to understand (oh well 🙈)
It's actually not that complicated 🤓
Both roles working now. Writing up some docs and adding another 2 roles is planned for tomorrow.
#oauth2 #idm #kanidm -
Ah, you got to love that sometimes SSO callback URIs have a trailing slash and sometimes they don't. And no, i did absolutely not search for the error 45 minutes straight.
By the way, did anybody set up claimMaps for kanidm in NixOS yet? I am too sleepy right now and i think i am reading it wrong.
https://search.nixos.org/options?channel=25.11&query=services.kanidm&show=services.kanidm.provision.systems.oauth2.<name>.claimMaps.<name>.valuesByGroup
-
Kanidm PAM authorizations are so nice.
I cannot decide if i want to maintain users on my servers etc. via Nix as i used to or extend it by kanidm.Rotating keys and granting/revoking authorizations is just so nice with kanidm.
I also found out that - with a client installed on my main machine - i can just login to the remote instance by `kanidm login` and use my yubikey locally and then do admin stuff without sshing to the server. Awesome.
-
About half a year ago I installed https://github.com/Tricked-dev/kanidm-oauth2-manager
Just to replace my shell script to setup oauth2 for my services with kanidm.
Now I pulled the image again and.. it's
"Kanidm Management Console" 😃
With UI added for users and groups too.
I do prefer automation so I do like full cli management. But sometimes a UI is nice too :)
#kanidm #idm #ui -
Only on some rare occasions i log into Shithub, because some projects are either too big for codeberg (looking at you, NixOS) or too corporate? (kanidm).
I hope this will be the last time this year.
-
Turned on SSO for vaultwarden.
I forgot, that the passkey for SSO was in vaultwarden only. Shot myself in the foot. Fixable, but I simply fogot that 😅
I have added hw keys too now ;)
#vaultwarden #sso #kanidm #fail -
@firstyear thank youuuu :3
Yea I wanna look into #kanidm soon;
Currently have #Zitadel deployed.Once I find time for that, ig :neocat_laptop:
-
-
2nd day #vibecoding - looking good. #kanidm #openai #codex
-
I even managed to turn it into a reusable snippet, again so I can have different services each with different oauth2 client ids and secrets.
I also managed to fix the problem of caddy blocking (read: crashing) on kanidm, by adding the delay_start.
Interestingly, caddy automatically allows interpolation like `kanidm_{args[0]}` becoming `kanidm_test-app` .
-
This was a very useful blog post.
caddy-security frankly has really difficult-to-use docs, and kanidm is sometimes a bit different from other auth providers in its approach.
I've managed to replace oauth2-proxy, and this should be able to give different services different client ids/secrets.
-
Blerged again.
Setting up Kubernetes login using Kanidm+Oauth2/OIDC
-
