dokploy icon indicating copy to clipboard operation
dokploy copied to clipboard
verified publisher icon Dokploy

feat: add oidc authentification (settings + login form)

Open edwin-anne opened this issue 2 months ago • 4 comments

What is this PR about?

This PR introduces first-class OpenID Connect (OIDC) Single Sign-On support. It adds:

  • A new SSO settings page (/dashboard/settings/sso) allowing an admin to configure an external OIDC provider (issuer, discovery URL, client credentials, scopes, claim mapping, PKCE toggle, etc.).
  • Backend persistence via a new oidc_settings table plus a generalized sso_provider table (foundation for future SAML or multiple providers).
  • Secure registration + (re)registration logic with the authentication layer (better-auth + @better-auth/sso).
  • Login page integration: dynamic SSO button appears when OIDC is fully configured.
  • Status endpoint + tRPC router (ssoRouter) for reading/updating settings and exposing readiness (used by the UI).
  • Claim mapping support (id/email/emailVerified/name/image) with sensible defaults.
  • Session enrichment so organization context persists after SSO login.
  • Database migrations (0117–0119) that create/extend SSO-related tables safely (idempotent + foreign key).
  • Client integration via authClient including the ssoClient plugin.

Checklist

Before submitting this PR, please make sure that:

  • [x] You created a dedicated branch based on the canary branch.
  • [x] You have read the suggestions in the CONTRIBUTING.md file https://github.com/Dokploy/dokploy/blob/canary/CONTRIBUTING.md#pull-request
  • [x] You have tested this PR in your local instance.

Issues related (if applicable)

closes #123

Screenshots (if applicable)

image image image

edwin-anne avatar Oct 05 '25 20:10 edwin-anne

#626

edwin-anne avatar Oct 05 '25 20:10 edwin-anne

This is great! Do you plan on making a SAML SSO feature in the future?

tristanbob avatar Nov 03 '25 22:11 tristanbob

Thank you @edwin-anne for your PR.

It would be really nice if you could add multiple IdP providers.

To do this, the database only needs an additional column for the SLUG name of the provider, and the return URL must also be structured specifically for each provider (/callback/#slug#).

Will there be an option for mapping existing accounts? For example, user [email protected] was created via Admin. The user now comes and wants to use the SSO button for Microsoft or Github, and the email address of the SSO account matches the email address in Dokploy, so that these users are then mapped?

strausmann avatar Nov 05 '25 11:11 strausmann

We need this, is it going to be merged any soon?

BENZOOgataga avatar Nov 19 '25 10:11 BENZOOgataga

Any chance of this being worked on or merged?

UntoldGam avatar Dec 09 '25 19:12 UntoldGam