Skip to content

Authentication: Add optional OpenID Connect (OIDC) support #29

New issue
New issue
Open
Open
Authentication: Add optional OpenID Connect (OIDC) support#29
Labels
P2:AdvancedauthAuthentication and session handlingbackendfrontendoidcOpenID Connect integrationsecuritySecurity-related changesssoSingle Sign-On and identity federation
@achildrenmile

Description

@achildrenmile
achildrenmile
opened on Dec 30, 2025

Problem

The application currently supports only local authentication (username/password, MFA).

For some customers, especially enterprises, this is limiting because:

  • Existing identity providers cannot be reused
  • User management is duplicated
  • Single Sign-On (SSO) is not available

Goal

Add optional OpenID Connect (OIDC) support to allow authentication via external identity providers while keeping local authentication fully functional.

Scope

  • OIDC support is optional
  • Local authentication remains available and unchanged
  • OIDC can be enabled per tenant or per deployment

Supported Identity Providers (Examples)

The implementation should be compatible with standard OIDC providers, such as:

  • Keycloak
  • Azure AD / Entra ID
  • Auth0
  • Google Workspace

(No provider-specific hardcoding.)

Functional Requirements

Configuration

  • OIDC configuration must be externalized:
    • Issuer URL
    • Client ID
    • Client Secret
    • Scopes
  • Configuration must support multiple environments

Login Flow

  • User can choose:
    • Local login
    • OIDC login (if enabled)
  • OIDC login redirects to the external provider
  • After successful authentication:
    • User is logged in
    • A local user record is mapped or created

Account Mapping

  • OIDC users must be mapped to local user accounts
  • Mapping should be based on a stable identifier (e.g. email or subject)
  • Authorization remains managed locally

Security Requirements

  • Use Authorization Code Flow with PKCE
  • Validate:
    • ID token signature
    • Issuer
    • Audience
    • Expiration
  • Secure storage of client secrets
  • No trust in frontend-only tokens

Acceptance Criteria

  • OIDC login can be enabled or disabled via configuration
  • Users can authenticate via an external OIDC provider
  • Local authentication continues to work
  • OIDC users are mapped to local accounts
  • Security validations are correctly enforced
  • Works on desktop and mobile

Out of Scope

  • SAML authentication
  • Automatic role provisioning from IdP
  • Mandatory SSO enforcement
  • API authentication via OIDC

Notes

This issue introduces an extensible authentication option for enterprise use cases without changing the existing security model.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2:AdvancedauthAuthentication and session handlingbackendfrontendoidcOpenID Connect integrationsecuritySecurity-related changesssoSingle Sign-On and identity federation

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions