gonic icon indicating copy to clipboard operation
gonic copied to clipboard
verified publisher icon sentriz

Add support for OIDC authentication

Open lava opened this issue 5 months ago • 1 comments

Motivation

Passwords are old-school, and many people who are into self-hosting their software already have a centralized identity server for SSO. By offloading authentication to a separate service, we immediately gain support for 2FA, password reset flows, passkey support, identity federation, and whatever else your identity provider of choice offers.

This PR goes a bit beyond the minimal possible OIDC support, but in exchange it gets to a state where all the existing behavior can still be used without disruption when opting for OIDC.

In particular:

  • Allows users to choose between password, oidc and oidc-forward authentication methods. By default, password is selected and the gonic behavior is exactly as it was before this PR.
  • When choosing OIDC authentication, the username is read from the JWT provided by the identity provider, and users are created automatically when they are first seen. A new db field is added to allow users to freely change their name and still be identified as the same user by the sub claim.
  • For new OIDC users a random password is generated and can be revealed in the UI, which can then be used for subsonic api clients. OIDC support for authorizing API access would make sense eventually, but is not part of this PR.
  • The two different flavors oidc and oidc-forward correspond to the two popular choices of deploying OIDC: one is that the app natively supports OIDC and redirects users to the identity provider itself, the other is that something external to the app (like oauth2-proxy) is handling the whole login and just forwards the obtained token which the app then reads. Which one is preferred depends heavily on the other software in use, and in the end they share 95% of the same code, so I just added support for both.
  • The check for admin-ness is a bit half-baked (only works by checking the roles claim in the token), but works for an initial implementation.

AI disclaimer

I'm not a Go developer, so most of the actual code was written by Claude. I did however work professionally on implementing OIDC support for various products, and looked over all the generated code to verify it's correct to the best of my ability.

lava avatar Jul 12 '25 23:07 lava

Very nice to have!

Akruidenberg avatar Sep 06 '25 14:09 Akruidenberg