Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: generic OIDC SSO and password-login disable flag#152

Merged
dusanstanojeviccs merged 2 commits into
tracewayapp:mainfrom
The-Kinky-Coder:feature/generic-oidc-sso
May 19, 2026
Merged

feat: generic OIDC SSO and password-login disable flag#152
dusanstanojeviccs merged 2 commits into
tracewayapp:mainfrom
The-Kinky-Coder:feature/generic-oidc-sso

Conversation

@The-Kinky-Coder
Copy link
Copy Markdown
Contributor

@The-Kinky-Coder The-Kinky-Coder commented May 16, 2026
edited
Loading

Adds support for any OpenID Connect provider (Authentik, Keycloak, Dex, Okta, etc.) alongside the existing Google and GitHub OAuth providers, and a new flag to enforce SSO-only login.

OIDC provider:

  • New OIDC_CLIENT_ID / OIDC_CLIENT_SECRET / OIDC_DISCOVERY_URL env vars enable any OIDC-compliant provider via goth's openidConnect backend
  • OIDC_DISPLAY_NAME sets a custom label on the login button (default: SSO)
  • OIDC_AUTO_CREATE_USERS=true bypasses the invite requirement in self-hosted mode, automatically provisioning accounts and adding users to an org on first login
  • OIDC_ORG_CLAIM routes users to a named org via a custom JWT claim for multi-org instances; falls back to the first org if absent
  • OIDC_EXTRA_SCOPES requests additional scopes needed to expose custom claims
  • Switched session store from CookieStore to FilesystemStore to avoid the 4096-byte cookie size limit hit by large OIDC ID tokens (e.g. Authentik)
  • Providers endpoint now returns providerLabels so the frontend can show the correct display name on the SSO button

Password-login disable flag:

  • DISABLE_PASSWORD_LOGIN=true blocks POST /api/login and /api/register with 403 and hides the email/password form on the login and register pages; the "or" divider between SSO buttons and the form is also removed
  • Login page skips the /register redirect (first-time setup) when password login is disabled — onboarding happens through the SSO flow instead
  • Register page redirects to /login immediately when password login is disabled

Created this as a draft pull request in case you want other changes made to the feature and to request comment on the feature before promoting this to a full pull request.

Personally I use Authentik for my own SSO so I wanted to expand the current SSO ability to allow other OIDC auth providers than just Github/Gmail.

I left in the "instructions for Authentik" in as an example on how to set up Authentik for this, but I and cut that out.

@The-Kinky-Coder
feat: generic OIDC SSO and password-login disable flag
f0b54e6 
Adds support for any OpenID Connect provider (Authentik, Keycloak, Dex,
Okta, etc.) alongside the existing Google and GitHub OAuth providers, and
a new flag to enforce SSO-only login.

OIDC provider:
- New OIDC_CLIENT_ID / OIDC_CLIENT_SECRET / OIDC_DISCOVERY_URL env vars
  enable any OIDC-compliant provider via goth's openidConnect backend
- OIDC_DISPLAY_NAME sets a custom label on the login button (default: SSO)
- OIDC_AUTO_CREATE_USERS=true bypasses the invite requirement in
  self-hosted mode, automatically provisioning accounts and adding users
  to an org on first login
- OIDC_ORG_CLAIM routes users to a named org via a custom JWT claim for
  multi-org instances; falls back to the first org if absent
- OIDC_EXTRA_SCOPES requests additional scopes needed to expose custom claims
- Switched session store from CookieStore to FilesystemStore to avoid the
  4096-byte cookie size limit hit by large OIDC ID tokens (e.g. Authentik)
- Providers endpoint now returns providerLabels so the frontend can show
  the correct display name on the SSO button

Password-login disable flag:
- DISABLE_PASSWORD_LOGIN=true blocks POST /api/login and /api/register
  with 403 and hides the email/password form on the login and register
  pages; the "or" divider between SSO buttons and the form is also removed
- Login page skips the /register redirect (first-time setup) when password
  login is disabled — onboarding happens through the SSO flow instead
- Register page redirects to /login immediately when password login is
  disabled
@The-Kinky-Coder The-Kinky-Coder mentioned this pull request May 16, 2026
Open
@The-Kinky-Coder
feat: expand OIDC SSO with role mapping, manual endpoints, and flash fix
c46f954 
Add OIDC_ROLE_CLAIM and OIDC_ROLE_MAP env vars to map IdP roles/groups
to Traceway roles on every login. Supports dot-notation paths for nested
claims (e.g. Keycloak's realm_access.roles). The highest-priority match
wins (admin > user > readonly); owner is never auto-assigned and existing
owners are protected from demotion on re-login.

Add OIDC_AUTH_URL, OIDC_TOKEN_URL, and OIDC_USER_INFO_URL as an
alternative to OIDC_DISCOVERY_URL for providers that do not expose a
well-known configuration endpoint. A short-lived local server synthesises
the discovery document at startup so the existing goth flow is unchanged.

Fix a flash on the login and register pages where the email/password form
was briefly visible before the /api/auth/providers response arrived when
password login is disabled.

Update SSO docs with Keycloak setup guide, role mapping examples
(including Authentik and generic groups claim), manual endpoint
configuration, and the new env var reference.
@dusanstanojeviccs
Copy link
Copy Markdown
Collaborator

dusanstanojeviccs commented May 18, 2026

@The-Kinky-Coder incredible work - I'll review and merge in tomorrow

@dusanstanojeviccs dusanstanojeviccs marked this pull request as ready for review May 19, 2026 04:17
@dusanstanojeviccs dusanstanojeviccs merged commit 7a84f1a into tracewayapp:main May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dusanstanojeviccs dusanstanojeviccs dusanstanojeviccs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@The-Kinky-Coder @dusanstanojeviccs