[feature req] add OIDC authentication + roles
andrewzah opened this issue ยท 12 comments
https://swagger.io/docs/specification/authentication/openid-connect-discovery/
This would allow things like SSO through an external service like Keycloak, which generates .well-known automatically. A generic OIDC authenticator is preferable to service-specific logins like Google, Facebook, etc.
One way to do this would be to have multiple Authenticators, like an OIDCAuthenticator and a LocalAuthenticator, which is the current behavior. Having an option to disable the LocalAuthenticator entirely and only populate users through the OIDCAuthenticator would be preferable.
For admins: One solution is either the access token or the auth token could have a roles object, which would look for a role named admin.
Thanks! Multiple authentication backend will be implemented at some point, but the priority now is to decide how to work around the Subsonic API limitations regarding authentication: #202 (comment).
This issue has been automatically marked as stale because it has not had recent activity. The resources of the Navidrome team are limited, and so we are asking for your help.
If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.
If this is a feature request, and you feel that it is still relevant and valuable, please tell us why.
This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.
Bumping this as something I'm still keen to see in Navidrome.
Understand this is waiting for the revisions to the API, but very much looking forward to this.
This issue has been automatically marked as stale because it has not had recent activity. The resources of the Navidrome team are limited, and so we are asking for your help.
If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.
If this is a feature request, and you feel that it is still relevant and valuable, please tell us why.
This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.
This bot is a bit overeager, the issue is still very much relevant.
Thanks! Multiple authentication backend will be implemented at some point, but the priority now is to decide how to work around the Subsonic API limitations regarding authentication: #202 (comment).
One way to handle this would be to provide separate Subsonic authentication passwords. A password could be autogenerated when a user gets created. While this password will be stored in database it would only be used for subsonic authentication and would not allow login into the UI or access anything not supported by subsonic.
The main user password could then be properly hashed.
This does not fully eliminate all risks, but limits the impact of the password. Especially for admin accounts, but also normal accounts.
Agreed, generating a random token for subsonic auth seems like a reasonable way to address this.
This issue has been automatically marked as stale because it has not had recent activity. The resources of the Navidrome team are limited, and so we are asking for your help.
If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.
If this is a feature request, and you feel that it is still relevant and valuable, please tell us why.
This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.
This bot is a bit overeager, the issue is still very much relevant.
Indeed, SSO via OIDC is thanks to Authentik and Authelia easily embeddable.
One way this could work is using app passwords for subsonic, like nextcloud uses for Caldav when it is using OIDC.
Looking forward for OIDC support with Authentik, too