In light of Discord’s mandatory age verification announcement, I feel a report on how this is going so far is in order.
I explored Authelia for a few days to see if it would be an cheaper alternative to Authentik. It is in fact much cheaper, but it doesn’t come with an account system. So, I tried using one of the recommended LDAP implementations named LLDAP, which was interesting to me because it also prioritized performance over having a full feature set that we don’t need. However, the application is developed by one person, they don’t scrutinize the security of their program (which is understandable under the circumstances, I think), and they have admitted to using LLMs to generate code for the repository which I don’t think is great for an application where security is important.
I feel that the gains from using Authelia are quickly lost when the required LDAP is added, as it increases deployment complexity and, judging by the system requirements of other LDAP solutions I looked into, the runtime cost seems only marginally better at best. So, I decided to stick with Authentik.
I pulled the trigger on increasing the VPS size and got Authentik working today. @MyriadMinds and I investigated how to migrate everything over properly. However, there’s one sticking point: Invitations.
This is an invite-only community, but Authentik apparently only lets admins create invites. This means that I would have to be responsible for creating all the invites. We considered switching our focus back to Authelia, but it doesn’t support invitations at all. Our options are then:
- admins (just me, for now) create all the invites
- i keep trusting distrust, and you need to create an account on discourse then log into authentik before you can access other t/suki services
- find out how to let authentik act as a transparent authentication gateway, so that your discourse login can be used for the other services
However, in the last two cases, authentik is a completely unnecessary overhead that will just make it harder for us to get to the applications we want to use and costs me more money for no added benefit. We might as well continue using distrust to turn Discourse into an OIDC provider.
So, that’s the plan. We’re going to give up on SSO and continue operating in the way we have been, with Discourse and distrust as our identity provider. Tomorrow, I’ll delete Authentik and set up Matrix.