Feature: Support OAuth2/OpenID for User Management

[LIRIKKER]

Is your feature request related to a problem? Please describe.
As a user, I would like to avoid managing usernames and passwords and instead use an OpenID provider I've already set up, specifically Authentik. This would reduce complexity and improve security by relying on existing identity providers.

Describe the solution you'd like
I would like user management and authentication to be handled by Authentik using OAuth2 or OpenID Connect (OIDC). Ideally, the integration would allow for the first user to log in via OAuth2 to be automatically assigned the admin role. This should also be compatible with the common OAuth2 authorization flows (Authorization Code, Implicit, etc.).

Describe alternatives you've considered
Traditional username/password management, but this introduces more overhead and security concerns compared to delegating to a trusted identity provider like Authentik. Other OAuth2 providers might be used, but Authentik is the one I've chosen for my setup.

Additional context
No other context.

[albinmedoc]

I would also love this feature.
I'm using Authentik which also supports OAuth2 and OIDC.

[albinmedoc]

OAuth could be implemented using Lucia with the help of Artic

[cmintey]

I looked at Artic, but since Lucia is deprecated and I plan to remove it in the future, I was looking at openid-client. It has full support for OIDC, which I prefer since it's simpler for users to set up, I think.

[albinmedoc]

I see, OIDC sounds like a good way forward.

[albinmedoc]

An easy way of adding authentication with Authentik is to something similar to Filebrowser.
Getting username from header
https://filebrowser.org/configuration/authentication-method#proxy-header

It would be easy to setup so name, username and email is read from headers.

[albinmedoc]

An easy way of adding authentication with Authentik is to something similar to Filebrowser. Getting username from header https://filebrowser.org/configuration/authentication-method#proxy-header

It would be easy to setup so name, username and email is read from headers.

This is developed in #180

[albinmedoc]

An easy way of adding authentication with Authentik is to something similar to Filebrowser. Getting username from header https://filebrowser.org/configuration/authentication-method#proxy-header
It would be easy to setup so name, username and email is read from headers.

This is developed in #180

This is now implemented and can easily be used with Authentik @LIRIKKER

You will need to add these environment variables to the docker container.

HEADER_AUTH_ENABLED=true
HEADER_USERNAME=X-authentik-username
HEADER_NAME=X-authentik-name
HEADER_EMAIL=X-authentik-email

In Authentik, configure Wishlist as a proxy provider type.

[cmintey]

Thanks @albinmedoc. I am going to leave this open as I do still want to add support for OAuth login via OpenId Connect. It's a bit different from the header auth, since users aren't automatically logged in and will still have an option of credentials if they don't have an account with the IdP

[albinmedoc]

I completely agree. I'm happy to switch to OAuth2 once it's implemented. But I don't feel experienced enough to implement this myself.

[Ejz9]

@albinmedoc Is this still working? I have setup authentik and my reverse proxy for forward authentication. However, whenever I log in with authentik it just forwards me to the login page of the wishlist application. I have the environment variables you mentioned before.

[greirson]

@Ejz9 Can confirm the header Auth is still working. I'm using Authentik for my instance. Is yours a fresh install with no users? I did notice I had to create the first initial admin before the header auth worked.

[albinmedoc]

Still working for me