Support OAuth/OpenID Connect Login

[skuzzle]

Hi,

it would be great if paperless-ng supported being an OAuth client so I can connect it to my authorization server.

I tried to achieve OAuth login using traefik-forward-auth but that requires paperless to inspect the X-Forwarded-User header. This seems to be closely related to the already supported HTTP_REMOTE_USER option but seems to require some manual coding in order to inspect HTTP headers, as described in the Django documentation

[jonaswinkler]

Isn't that really just what's already in paperless with PAPERLESS_ENABLE_HTTP_REMOTE_USER, but with a different header?

I don't know mutch about Oauth, so I really can't provide any input here. There's also this warning in the documentation to consider.

[skuzzle]

That looks promising, thanks for the suggestion. I'm not particularly happy though to connect my personal traefik to another cloud service (Traefik Pilot seems to be mandatory here) in order to use the plugin. But if no other solution comes up I will have to give it a shot any way.

[TheFehr]

Yeah that is the only reason so far keeping me from experimenting with some of the plugins that are out there. Just thought I'd throw that link here for anyone who stumbles upon this discussion.

[shamoon]

Traefik header transformation is definitely overdue, would solve so many of these (issue has been open since 2019 🧐 traefik/traefik#6047 )

FWIW I use Authelia and implemented header auth for that and it wasn’t so bad, did you already look at #260 ?

[skuzzle]

The PR looks pretty simple and straight forward. Seems like allowing a configurable custom header name here is a no-brainer, at least for someone who knows python. I don't, but I'd be willing to take care of that feature unless one of you profis wants to jump in to safe the world :)

[skuzzle]

FYI: I've actually started a PR for this here.

[dkowis]

There's also actual openid-connect, and using actual oauth2 with JWTs to talk to the API. This can also be done natively in angular using something like: https://www.npmjs.com/package/angular-auth-oidc-client where you authenticate directly against an openID connect service, and then the JWT is passed to the backend.

I've done stuff like this professionally, but maybe it's more complicated than simple header things. I run a keycloak in my homelab, and so it'd be awesome to take advantage of openid-connect.

[telvgehc]

Update on this?

[scooper4711]

I too would like this feature. I'm running paperless on my Synology, which can be configured with SSO Server. I'd like to have paperless secured with 2FA (also with Synology) since I keep sensitive documents on it.

[mwllgr]

If you came from Google, paperless-ngx is working on OIDC support right now: paperless-ngx/paperless-ngx#1746

[dkowis]

Today I learned about paperless-ngx! Thanks!