Correction: In the video I say that the container needs to be privileged. That’s not true. I am running it in an unprivileged container with no issues. Let me know your findings.
In my quest to learn more about Authelia I have watched a multitude of YT videos. This presentation is by far one of the better ones. However, it is still a little advanced for me. Thank you for sharing your time and expertise with us. Much appreciated.
Awesome one Marc! Just enabled OIDC login into Kubernetes clusters provisioned by our KaaS platform. We use Keycloak, but Authelia is great, too! I just love the protocol, SSO all the things!
Many thanks - and - I totally agree ;-) When I started with my first authentication project, I used a simple TOTP plugin to ask for a second factor before crossing VLAN boundaries. I had evaluated Authelia but it didn't do OIDC at the time. It did take me some time however to get to grips with everything. Many thanks for sharing!
@@OneMarcFifty yeah OIDC isn't easy to get started with... But once you understand those JWT tokens, by decoding them and seeing all those claims neatly put in a json array, it really started to make sense for me.
What a great information video, thank you! Would you ever consider creating a video regarding logging information in OpenWRT? Or, perhaps a video breaking-down DNSMASQ in OpenWRT? Thank you again.
What a bout stolen browser sessions similar to what took down Linus Tech Tips UA-cam channel? Once elevated session cookies were stolen by a trojan, YT doesn’t have a “invalidate all active sessions” to deauthorize the auth credentials.
Great question! I have been thinking about making a video on that issue for a while now. Essentially for good security you need to take the 3 P's into consideration: Products, Processes and People. I would ad a 4th one here: Providers. Certainly people need to be educated (close your browser sessions before doing e-Mail, delete your cookies etc.), Products need to answer the requirements (Avoid cross-app storage access, e.g. AppArmor or SELinux are answers for that). But the Providers need to do their homework as well. Like Linus said in his video - if someone wants to delete 100 or 1000 videos, asking for an OK would be acceptable ;-) Or if a session jumps from Germany to the US or anywhere else, then re-requesting auth should be OK. 2FA or SSO alone will NOT save you - also taking into consideration that you can reset a password or 2nd Factor over e-Mail - whoever controls your e-mail account can register freely. Sorry - long answer - but you are so spot on with your comment. There is a lot of misunderstanding in the 2FA area ;-) Many thanks for your question !
Good Video, helped a lot still have one question. I have xen orchestra that supports oidc and works as relying party, how do i configure this? any expert here
Not yet. I used authelia because I had examined it in the past and wanted to try the OpenID integration. I will have a look at authentik at some point in time though, especially w/r to the broader protocol support (SAML etc.). Are you using authentik?
@@OneMarcFifty yes, just recently switched from authelia to authentik because broader protocol support i wanted it mainly for jellyfin and calibre web because it supported ldap in combination with openid. And it supports user sign up and users can easily manage there own accounts, 2fa devices and oauth connections to other providers like plex or google.
Correction: In the video I say that the container needs to be privileged. That’s not true. I am running it in an unprivileged container with no issues. Let me know your findings.
This guy has such a nice personality it’s so great when he makes a new video. Also the subject matter is interesting too.
Oh, that's so kind of you - thank you very much!
Content like this is what we are all carving for 😅
Brilliant video, thank you very much for your efforts
Glad you enjoy it! Thank you
In my quest to learn more about Authelia I have watched a multitude of YT videos. This presentation is by far one of the better ones. However, it is still a little advanced for me. Thank you for sharing your time and expertise with us. Much appreciated.
Wow, this is awesome, thanks for sharing and combining all info available.
Many thanks Edward!
You just saved my day (or week, or month). Amazing, super clear. Added 2FA to NextCloud, Proxmox, Proxmox Backup Server and all my portainers. Super!
Awesome one Marc! Just enabled OIDC login into Kubernetes clusters provisioned by our KaaS platform. We use Keycloak, but Authelia is great, too! I just love the protocol, SSO all the things!
Many thanks - and - I totally agree ;-) When I started with my first authentication project, I used a simple TOTP plugin to ask for a second factor before crossing VLAN boundaries. I had evaluated Authelia but it didn't do OIDC at the time. It did take me some time however to get to grips with everything. Many thanks for sharing!
@@OneMarcFifty yeah OIDC isn't easy to get started with... But once you understand those JWT tokens, by decoding them and seeing all those claims neatly put in a json array, it really started to make sense for me.
Thank you very much for your video, Marc! Super clear info!
Amazing video Marc! thank you so much for sharing such great content like this.
Glad you enjoyed it! Thank you!
Thank you Marc!
Hi Łukasz, my pleasure ;-)
Subscribed... such a pleasant presenter!
This was such a professional class video
Very nice and through, thank you very much!!
Hi Diogo, you are welcome - I am glad you liked it ;-)
What a great information video, thank you! Would you ever consider creating a video regarding logging information in OpenWRT? Or, perhaps a video breaking-down DNSMASQ in OpenWRT? Thank you again.
Great suggestion! You mean a syslog server, right?
@@OneMarcFifty yes a syslog server. Thanks for all of your content
@@alexs5588 Logs & FOSS ... and how far the smokey gun ended ?
Winreg2
What a bout stolen browser sessions similar to what took down Linus Tech Tips UA-cam channel? Once elevated session cookies were stolen by a trojan, YT doesn’t have a “invalidate all active sessions” to deauthorize the auth credentials.
Great question! I have been thinking about making a video on that issue for a while now. Essentially for good security you need to take the 3 P's into consideration: Products, Processes and People. I would ad a 4th one here: Providers. Certainly people need to be educated (close your browser sessions before doing e-Mail, delete your cookies etc.), Products need to answer the requirements (Avoid cross-app storage access, e.g. AppArmor or SELinux are answers for that). But the Providers need to do their homework as well. Like Linus said in his video - if someone wants to delete 100 or 1000 videos, asking for an OK would be acceptable ;-) Or if a session jumps from Germany to the US or anywhere else, then re-requesting auth should be OK. 2FA or SSO alone will NOT save you - also taking into consideration that you can reset a password or 2nd Factor over e-Mail - whoever controls your e-mail account can register freely. Sorry - long answer - but you are so spot on with your comment. There is a lot of misunderstanding in the 2FA area ;-) Many thanks for your question !
very helpful
Good Video, helped a lot still have one question. I have xen orchestra that supports oidc and works as relying party, how do i configure this? any expert here
If I already have an nginx reverse proxy in my network, do I want to use that one instead or stick to the nginx server in the container?
Using Mobaexterm is easier to do the config of yaml file, because you will have SFTP at the same time ssh ... in other word, it's a life saver!
Thanks for the video. Can i ask you a question. Did you consider authentik and so yes why did you prefer authelia?
Not yet. I used authelia because I had examined it in the past and wanted to try the OpenID integration. I will have a look at authentik at some point in time though, especially w/r to the broader protocol support (SAML etc.). Are you using authentik?
@@OneMarcFifty yes, just recently switched from authelia to authentik because broader protocol support i wanted it mainly for jellyfin and calibre web because it supported ldap in combination with openid. And it supports user sign up and users can easily manage there own accounts, 2fa devices and oauth connections to other providers like plex or google.
awesome thanks
Could you do the same for jellyfin? Especially so that we don't have to login twice.
非常精彩!As one not familiar with Web, this video taught me a lot! I will pay more time on OAuth and HTTP header usage. Thank you, Mr. Marc.
Awesome, loved this. Neil@Portainer.
Hi Neil, many thanks!