Spent hours debugging OIDC flows? We built an OIDC Tester to make life easier.
Try it here 
Would love to hear your thoughts—what’s the most annoying part of working with OIDC? 
Recent searches
Search options
Administered by:
#oidc
3 posts3 participants0 posts today
Deploy Static Sites to Azure CDN with GitHub Actions OIDC
developer-friendly.blogDeploy Static Sites to Azure CDN with GitHub Actions OIDC - Developer Friendly BlogStep-by-step tutorial on using Terragrunt and OpenTofu to set up OIDC authentication between GitHub Actions and Azure for static site deployments.
Release notes for v25.03.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring
This has been a busy month for Malcolm! I pushed hard to get v25.03.0 out earlier this month, as it contained pretty much just the Keycloak integration one of our partners (and major funding sources) was waiting for. Rather than wait until April for the other stuff that would have gone into the regular end-of-the-month release, I decided to pull those items into this smaller release just a week and a half after the last one.
Malcolm v25.03.1 contains a few enhancements, bug fixes, and several component version updates, including one that addresses a CVE that may affect Hedgehog Linux Kiosk mode and Malcolm's API container.
NOTE: If you have not already upgraded to v25.03.0, read the notes for v25.02.0 and v25.03.0 and follow the Read Before Upgrading instructions on those releases.
- Incorporate new S7comm device identification log,
s7comm_known_devices.log(#622) - Display current PCAP, Zeek, and Suricata capture results in Hedgehog Linux Kiosk mode (#566)
- Keycloak authentication: configurable group or role membership restrictions for login (#633) (see Requiring user groups and realm roles)
- Mark newly-discovered and uninventoried devices in logs during NetBox enrichment (#573)
- Added "Apply recommended system tweaks automatically without asking for confirmation?" question to
install.pyto allow the user to accept changes tosysctl.conf, grub kernel parameters, etc., without having to answer "yes" to each one.
- Incorporate new S7comm device identification log,
./config/) for Malcolm and incontrol_vars.conffor Hedgehog Linux- added
NGINX_REQUIRE_GROUPandNGINX_REQUIRE_ROLEtoauth-common.envto support Requiring user groups and realm roles for Keycloak authentication
- added
- Ensure Malcolm's NetBox configuration Python scripts are baked into the image in addition to bind-mounting them in
docker-compose.ymlat runtime.
- Ensure Malcolm's NetBox configuration Python scripts are baked into the image in addition to bind-mounting them in
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 
Malcolm operates as a cluster of containers 
Alternatively, dedicated official ISO installer images 
release_cleaver.sh) and PowerShell 
release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.
As always, join us on the Malcolm discussions board 
ALT
Blogged: ASP.NET Core delegated Microsoft OBO access token management (Entra only)
Arrived at #VoxxedDays Zurich to talk about #authentication, #oidc and #keycloak. Looking forward to see you at my talk at 15:55 in room 7!
Replied to Jörn Franke
Check your programming frameworks. For example, this is currently only planned in the upcoming major Version of the Spring framework https://github.com/spring-projects/spring-security/issues/16391
At least for the Rust crate openidconnect-rs this is included in the default example: https://docs.rs/openidconnect/latest/openidconnect/
Proxmox + Pocket-ID + Bitwarden + Passkey = 
I love this seamless login experience! The future is passwordless authentication. Pocket-ID only supports passkey authentication, so you don't need a password.
Sender-constraining access tokens with Quarkus OIDC
https://quarkus.io/blog/sender-constraining-tokens/
#Java #Quarkus #OIDC #Security
Example web application with Rust using Rocket and as a frontend SvelteKit. Authentication/Authorization is done via OIDC:
Codeberg.orgrust-rocket-svelte-exampleA modern Rust rocket web application with Svelte as a frontend
How to configure #Matrix #Synapse on #FreeBSD with #OIDC via Microsoft Azure AD / Entra.
https://gyptazy.com/howto-matrix-synapse-server-on-freebsd-with-sso-via-microsoft-azure-ad-by-oidc/
I'm confused how a static site can do OIDC.
Isn't there supposed to be a client/application ID-secret pair that are used to exchange the auth token for the actual access token that /does/ stuff?
How do you store that secret when it's all static files and client-side JS calls?
For the AlekSIS project, a very active open source school information system, we are looking for a freelance #Python and #Django developer with knowledge about #OAuth and #OIDC.
The task is to implement several features in django-oauth-toolkit.
If you think you might be that person, please ping me and @hansegucker!
For those who attend, #FOSDEM will be a good opportunity to meet if you are interested, but that's by no means a requirement.
I could buy this if #TailScale was being promoted on, say, #LinuxUnplugged. On a show specifically about self hosting though, promoting something that runs everyone's logins through #Google/#Microsoft/#Apple is hypocritical.
#OIDC is at least self-hostable, but setting that up wipes out the main claimed benefit, namely that it will be up and running "within minutes". So they're making claims on a show literally called "SelfHosting" that are only met by using #GAFAM accounts.
Back in June I wrote about an exciting confluence of digital auth tech:
(1) The commodification of #OIDC infrastructure, (2) the emergence of #FedCM, (3) and the compatibility of both with #indieauth .
In short, it is now easier than ever to log into web applications using your own website as an identity provider. Or at least, it would be, if your favorite web apps supported these agency-enhancing technologies.
https://blog.erlend.sh/indie-social-sign-in-could-go-mainstream
Open Indie · Indie social sign-in could go mainstreamBack in June I wrote about an exciting confluence of digital auth tech: ### Social sign-in for indies The focal point of Weird Net...
I've got to say, I'm disappointed with my first look into @tailscale . It was promoted heavily by The #SelfHosted Show on #JupiterBroadcasting as "installs on any device in minutes".
Well, #Tailscale needs an account.
Fine.
The only options though are #Google, #Microsoft, #Github, #Apple or #OIDC. Only one doesn't report to #GAFAM's #surveillance, and that definitely won't be up and running "in minutes".
...and is the server software (not #HeadScale ) #proprietary?
What am I missing here?
ALT
While #ejabberd lacks proper #OIDC login support, I built an external authentication script using (legacy) OIDC Password Grants:
https://codeberg.org/Natureshadow/ejabberd-extauth-oidc-password
While at it, I also built a #Python library for implementing ejabberd external auth scripts:
Codeberg.orgejabberd-extauth-oidc-passwordejabberd extauth script to use OpenID Connect with the Resource Owner Password Grant Flow
Hello World!
I'm now reachable on my own ActivityPub instance (running #gotosocial using #semaphore as a frontend)
Everything seems to be working fine so far. Auth via the #authelia #sso using #oidc is also working really well.
(Yes, I'm testing Hashtags at the moment).
All the configs are public and the commit introducing them is this one:
https://git.emile.space/hefe/commit/?id=b1140ee81828a97a3bdcb098ae88c5ad33c2e93e
The gotosocial instance itself publishes the user-page here: https://social.emile.space/@hanemile
git.emile.spaceworking gotosocial - hefe - Yet another monorepo (the big nix config)