Hi, this is one of the most requested feature so we will definitively implement something about it.

May I ask how and what do you currently use SSO for other tools in your case?

Yes for sure: actually we are all behind an Authentik IdP to mainly share Nextcloud, Paperless for the post mail entry scanned by my daughter and Vaultwarden OIDC Fork for sharing our secrets.

For now we use also Outline which was the initial reason why we used an IdP at home, but we are looking for an offline first solution and considered Obsidian, but it's not giving the same level of joy to document stuff seamlessly.

Wow! You're actually much more advanced than I expected—thanks to #57

Have you already had a look at the Better-Auth NPM package?

It could give you virtually unlimited possibilities to expand your software login gateway and perfectly covers self-hosted systems: https://www.better-auth.com/docs/plugins/generic-oauth

Thank you! I had in plan to check it out and see if we can use it in Colanode, thanks for the suggestion!

Nice! If I can dedicate time to it, would you accept to consider any PR?

I'm certainly open to contributions! But, in this case after checking the documentation I'm afraid that using better-auth package in Colanode would be challenging. This has nothing to do with the package itself, it seems like a great implementation. However, in Colanode we already have implemented a custom auth, using custom table schema, custom tokens, custom sessions (we call them 'devices' in Colanode) and authorization checks. Implementing better-auth would require a lot of customization around mapping between their schema and features and Colanode schema and use cases, which after a while might become more challenging than helpful. In high level, I need to research and plan more about how we can enhance the auth flow and implement a general SSO feature in Colanode, before actually implementing something. Better-auth can be a good inspiration in the way they are handling social logins

Thank you for your valuable feedback and the time spent.

I will investigate more deeper and based on your feedback and the actual implementation in code of the custom auth system I will make you a better proposition.

Best,

I would really recommend this resource: https://lucia-auth.com/ which used to be a library, but is now more of a good resource on how to implement Oauth2 on your own. I run my home server with pocket-id and ldap, and wouldn't want to install something I can't get to work with SSO.

You can also consider accepting request headers from upstream. This would enable self hosters to provide OAuth or OIDC externally.

I haven't looked at the code, but would it be possible to re-use the logic you're using for the Google authentication to allow e.g. users to plug their own Keycloak instance?

At the end of the day it's stil OAuth, right? And many people self-hosting also have their own idp already