Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature req] add OIDC authentication + roles #858

Open
andrewzah opened this issue Mar 19, 2021 · 12 comments
Open

[feature req] add OIDC authentication + roles #858

andrewzah opened this issue Mar 19, 2021 · 12 comments

Comments

@andrewzah
Copy link

andrewzah commented Mar 19, 2021
edited
Loading

https://swagger.io/docs/specification/authentication/openid-connect-discovery/

This would allow things like SSO through an external service like Keycloak, which generates .well-known automatically. A generic OIDC authenticator is preferable to service-specific logins like Google, Facebook, etc.

One way to do this would be to have multiple Authenticators, like an OIDCAuthenticator and a LocalAuthenticator, which is the current behavior. Having an option to disable the LocalAuthenticator entirely and only populate users through the OIDCAuthenticator would be preferable.

For admins: One solution is either the access token or the auth token could have a roles object, which would look for a role named admin.
@deluan
Copy link
Member

deluan commented Mar 21, 2021
edited
Loading

Thanks! Multiple authentication backend will be implemented at some point, but the priority now is to decide how to work around the Subsonic API limitations regarding authentication: #202 (comment).

@deluan deluan mentioned this issue Jun 17, 2021
Closed
@github-actions
Copy link

github-actions bot commented Mar 7, 2023

This issue has been automatically marked as stale because it has not had recent activity. The resources of the Navidrome team are limited, and so we are asking for your help.
If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.
If this is a feature request, and you feel that it is still relevant and valuable, please tell us why.
This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.

@github-actions github-actions bot added the stale label Mar 7, 2023
@largelyinept
Copy link

Bumping this as something I'm still keen to see in Navidrome.
Understand this is waiting for the revisions to the API, but very much looking forward to this.

@github-actions github-actions bot removed the stale label Mar 8, 2023
@github-actions
Copy link

github-actions bot commented Sep 5, 2023

This issue has been automatically marked as stale because it has not had recent activity. The resources of the Navidrome team are limited, and so we are asking for your help.
If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.
If this is a feature request, and you feel that it is still relevant and valuable, please tell us why.
This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.

@github-actions github-actions bot added the stale label Sep 5, 2023
@Mihara
Copy link

Mihara commented Sep 5, 2023

This bot is a bit overeager, the issue is still very much relevant.

@github-actions github-actions bot removed the stale label Sep 6, 2023
@phw
Copy link
Contributor

phw commented Oct 28, 2023

Thanks! Multiple authentication backend will be implemented at some point, but the priority now is to decide how to work around the Subsonic API limitations regarding authentication: #202 (comment).

One way to handle this would be to provide separate Subsonic authentication passwords. A password could be autogenerated when a user gets created. While this password will be stored in database it would only be used for subsonic authentication and would not allow login into the UI or access anything not supported by subsonic.

The main user password could then be properly hashed.

This does not fully eliminate all risks, but limits the impact of the password. Especially for admin accounts, but also normal accounts.

@andrewzah
Copy link
Author

Agreed, generating a random token for subsonic auth seems like a reasonable way to address this.

@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. The resources of the Navidrome team are limited, and so we are asking for your help.
If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.
If this is a feature request, and you feel that it is still relevant and valuable, please tell us why.
This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.

@github-actions github-actions bot added the stale label Apr 26, 2024
@onedr0p
Copy link

onedr0p commented Apr 26, 2024

This bot is a bit overeager, the issue is still very much relevant.

@github-actions github-actions bot removed the stale label Apr 27, 2024
@HearthCore
Copy link

Indeed, SSO via OIDC is thanks to Authentik and Authelia easily embeddable.

@DDriggs00
Copy link

One way this could work is using app passwords for subsonic, like nextcloud uses for Caldav when it is using OIDC.

@ForsakenRei
Copy link

Looking forward for OIDC support with Authentik, too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@phw @onedr0p @deluan @Mihara @HearthCore @andrewzah @DDriggs00 @ForsakenRei @largelyinept