this post was submitted on 13 Aug 2024
14 points (100.0% liked)

Privacy

31975 readers
652 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Hi folks,

I'm seeing there are multiple services which externalise the task of "identity provider" (e.g. login with Facebook, google or what not).

In my case, I am curious about Tailscale, a VPN service which allows one to chose an identity provider/SSO between Google, Microsoft, Github, Apple and OIDC.

How can I find out what data is actually communicates to the identity provider? Their task should simply be to decide whether I am who I claim to be, nothing more. But I'm guessing there may be some subtleties.

In the case of Tailscale, would the identity provider know where I'm trying to connect? Or more?

Answers and insights much appreciated! The topic does not seem to have much information online.

top 9 comments
sorted by: hot top controversial new old
[–] [email protected] 22 points 3 months ago (2 children)

The simple answer to SSO is: Just don't.

It has it's place in companies, but there is no good reason for private use, except maybe a little convenience.

On the other hand, you open yourself up of to your data being collected left and right and increase the chance it gets compromised by it being shared.

[–] [email protected] 5 points 3 months ago (1 children)

SSO can be fine, it all depends on how it is implemented. If you run your own OIDS or manage your own FIDO2 keys manually, SSO works great; it means that every time you access an online account, a different challenge/response is sent, but you only have to manage a single account on your end. This means less data to be stolen, and if implemented correctly, a sso-backed login attempt in a new context will require further action, preventing someone from just stealing your cookies/certificates and having full access to all your accounts.

The problem is that so much SSO junk is intentionally mis-implemented to include third parties in the process where there’s no need for them to be. Avoid those where appropriate.

[–] [email protected] 1 points 3 months ago

Ok, fair enough, but at that point you're basically deploying your own password manager which most people would consider a little over the top :D

[–] [email protected] 1 points 3 months ago

The only acceptable use I have seen for myself are trading sites you log in through Steam - since their sole purpose is interacting with your Steam inventory.

[–] [email protected] 6 points 3 months ago (2 children)

You can self host your identity provider and use OIDC to connect Tailscale. I myself use Authentik, a more established alternative in enterprise is Keycloak

[–] [email protected] 4 points 3 months ago* (last edited 3 months ago) (1 children)

Do you use Authentik specifically with Tailscale? That's interesting, indeed I would definitely want that. I was under the impression that it required something like headscale but it seems not to be the case. Thanks!

Edit: minor edit.

[–] [email protected] 1 points 3 months ago

I use Headscale, but I think I read somewhere that Tailscale allows custom OIDC providers now.

[–] [email protected] 1 points 3 months ago

Can I ask how you set authentik up for tailscale? I tried that but got stuck with the webfinger step. I can't wrap my head around that.

[–] [email protected] 2 points 3 months ago

In terms of privacy, you are giving your identity provider insight to each of the third party services that you use. It may seem that there isn't too much of a difference between using Google's SSO vs using your Gmail address to register your third party account. However, one big distinction is that Google would be able to see often and when you use each of your third party services.

Also, it may be impossible to restrict the sharing of certain information from your identity provider with the third party service. For example, maybe you don't want to share a picture of yourself with a service, but that service uses user profile pictures or avatars. That service may ask (and require) that you give it access to your Google account's profile picture in order to authenticate using Google's SSO. You may be able to overwrite that picture, but you also may not be able to revoke the service's ability to retrieve it. If you used a "regular" local account, that Google profile picture would never be shared with the third party service if you did not upload it directly. The same is true for other information like email, first/last/full name, birthday, etc.

There are other security and operational concerns with using SSO options. With the variety of password managers available, introduction of passkeys, and increased adoption of multi-factor authentication, many of the security benefits associated with SSO aren't as prevalent as they were 10 years ago. The biggest benefit is likely the convenience that SSO still brings compared to other authentication methods.

Ultimately it's up to you to determine if these concerns are worth the benefits of using SSO (or the third party service provider at all if they require SSO). I have a feeling the common advise will be to avoid SSO unless its an identity provider that you trust (or even better - one that you host yourself) - especially if you're using unique emails/usernames along with strong and unique passwords with multi-factor authentication and/or passkeys.