Support for authentication servers like Authelia, Cloudflare Access, etc.

[mjocc]

Many people host paperless-ngx and other things like it behind authentication servers that require login through OAuth, TOTP apps, etc for added security. It would be great if the app could have the option to show a webview allowing the user to authenticate themselves before saving the cookies and then letting the user log into their paperless server. Apologies if this is already possible somehow, but I couldn't see any way to get it to work.

[JigSawFr]

It’s working fine with Authelia, you just need to exclude API endpoint ;)

[florianschroen]

When I understood it right, authelia does the same as goauthentik's Proxy provider.

Here the proxy server (eg traefik) cares about authentication (via forwardauth configuration) and the app (paperless*) looks at a http header containing the username.

But this not what OP requested. Oauth / open ID connect (oidc) are integrated into the app itself. Here you see the extra buttons on the login page, as you already seen in the web. (login with Google, login with Facebook,...)

For this implementation, there are pull requests in the pipeline for eg paperless-ngx. (which I tested successfully this weekend)

The ID would be to secure your apps with a login where you can add multi factors (mfa), rate limits, policies, etc.

When you simply exclude the api endpoint from this extra security barrier, you can simply save your time implementing extra security for the "normal" login. This is because an intruder will prefer an API over an interface made for humans, because api penetration is much easier to automate. And passwords can be tested against dictionaries other brute forced easily dozens of times in few seconds. When there is no limitation weak user passwords like no passwords.

For api access wo normally use relatively long api access keys and prevent the login with the normal user password.

If you like to see this in action, feel free to test with nextcloud. An app login redirects you to a web-based login (including mfa), then a api token gets generated for the app, which then used for the normal access / interaction with the service api.

This is only meant to show the security aspects. 😊

[kingp0dd]

doesn't excluding the API endpoint defeat the purpose?

[Mittlebenskrise]

I second the comment from florianschroen. Creating a bypass in Authelia for the app is fine, if you can create a unique API key that you have to enter in the app. Without this, it's an open door for intruders.

By the way, I even implemented this for my own app and it's not really a big deal.

[silversurfer98]

I've configured authelia for SSO (OIDC) in my paperless setup. While I can see the 'Sign in with Authelia' option in the browser, I'm unsure how to enable it in the paperless app (or is it not the part of app as we can see in nextcloud app). I'm relatively new to this setup, and I've partially addressed this issue by initially signing in through a browser and then updating a new password different to authelia user pass in the user settings and logged in the app. However, I know that this isn't the ideal solution. I need help regarding this issue/feature.

[xy8000]

I am facing this issue as well.
I am using Keycloak SSO. Currently there is no way to login within the app (excluding superuser).

[Zolli]

I really want to support that question. I`m just cofigured my instance to use my AUthentik IDP and it works well. The app seems to be using a direct authentication method with username password (I tried to use API key from my profile but it did not worked).

I recommend that the first solution will be to allow to use the API key as an authenticatin source, i hope this should not be hard to implemenet, then we can proceed with other ways