Configure Incus UI with SSO

There is a discussion about configure Incus UI with SSL authentication. This one is talking about using OpenID Connection (OIDC) for authentication.

I tried a couple of OIDC provider, the only working for me is Auth0. Confirmed not working: Google OAuth, Nextcloud OIDC. Auth0 could connect with Google account so this will be a workaround to use Google as SSO.

First, you need to register Auth0 and create a tenant. Free tier is totally OK. Then, we are going to create an application from the left navigation.

image518×570 22 KB

I choose “Single Page Application”. Incus UI works as OAuth 2.0 public application, which is matching the “Single Page Application” and grant auth with implicit flow.

Edit: I took a closer look at the code, LXD/Incus is using Authorization Code Flow with PKCE instead of implicit flow. Maybe “Native” application type is a better choice.

image1122×1032 69.6 KB

In the application page, fill the application URL, callback URL and allow origins. Internal IP or server name also works.

image1130×1502 141 KB

Under the “Advanced Settings” > “Grant Types”, make sure “Implicit”, “Authorization Code” and “Refresh Token” are checked. They should be selected by default.

Edit: As mentioned above, LXD/Incus is not using implicit flow, “Implicit” grant type is not necessary.

image1316×896 63.3 KB

Note down the “Domain” and “Client ID” in basic information section. They will be used in later step. We don’t need the “Client Secret” value.

Screenshot 2024-05-10 at 15.27.371160×824 27.1 KB

Next, switch to API page and create an API.

Identifier could be any string. I follow its suggestion to use the domain name. We use fill this identifier into Incus config as well.

image1212×1202 63.1 KB

After this, the Auth0 configuration is done. We switch to Incus configuration. Fill the oidc.audience as the API identifier. Note it needs to exactly match. The oidc.client.id and oidc.issuer is got from the basic information section. Notice the tailing / in the issuer.

Screenshot 2024-05-10 at 15.06.002198×658 51 KB

Now, go to your domain https://incus.example.com/ or https://incus-server:8443. There is a “Login with SSO” button. It should jump to Auth0 for SSO.

image948×498 27.8 KB

After login, you should be able to manipulate the Incus UI in your public domain.

image1408×1148 74.9 KB

As mentioned in this doc, any user that authenticates through the configured OIDC Identity Provider gets full access to Incus. It means, someone visits your https://incus.example.com URL, authenticated by SSO, then got full access on your Incus server. We have few solutions to address that.

The first solution is to put your Incus UI after Cloudflare Tunnel and Cloudflare Access. There are lots of introduction about it in the Internet, I am not going to expand it. One notice is, remember to enable “No TLS Verify” to bypass the Incus UI self-signed certificate.

image2478×1126 182 KB

Besides, enable Cloudflare Access for another layer of protection before hitting the Incus UI.

image2544×318 28.2 KB

The second solution is to disable arbitrary user sign up on your Auth0 service. Go to “Database” > “Username-Password-Authentication” database.

image1686×622 50.7 KB

Scroll down and check “Disable Sign Ups”

image2042×320 26.8 KB

In this case, you will need to use the “User Management” > “Users” to create user. Registered users have full access Incus UI. That might be fine for homelab.

image1794×812 51.5 KB

The third solution is to leverage OpenFGA. I did not try it, no details about it.

Found a WIKI page from LXD-UI:

That uses a different port from the standard 8443, is that good practice?

Port numbers didn’t really mean anything. On Linux systems you have to have root privileges to bind to low value ports. Other than that, you can use them for anything you want.

I am aware, let me re-phrase :

Is the port for the authentication always the same as the main API port?

Edited to add : I generally segregate authentication traffic flows separate to internal traffic, because I use an external provider for it (Okta).

Yes, it needs to be the same. As stgraber mentioned, the Incus-UI is just client-side files, it cannot proxy any backend calls. The main API port does all the works, including authentication.

To have better protection, I add Cloudflare Access to only allow me to reach the SSO login screen. Other people will be gated by Cloudflare - not even reach my server and see the Incus login screen.

Let me try to understand the concern here. Is it about external auth provider is aware of your internal API and doing some bad things?

Thanks for the clarification.

It’s not particularly a concern, just looking for information. I deny all traffic by default, define and group all my flows, then tag the servers which require that type of flow to allow it. So auth is just a flow as far as I’m concerned, but it is one that goes outside my hosted environment so I pay more attention to those.

For the SaaS services I use, it’s handy to have a gate to close - eg close off all auth flows by removing the tag from the servers using it - if, say, Okta were to have (another?) data compromise or a zero day.

@lijunle Thanks for this! Since importing certificates seems to be completely broken on many platforms now due to gcr (and other) package issues, this is the only way I could get access to incus-ui on Fedora.