Skip to content

Add support for OIDC authentication #586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lava wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add support for OIDC authentication #586

lava wants to merge 4 commits into from

Conversation

@lava
Copy link

@lava lava commented Jul 12, 2025

Motivation

Passwords are old-school, and many people who are into self-hosting their software already have a centralized identity server for SSO. By offloading authentication to a separate service, we immediately gain support for 2FA, password reset flows, passkey support, identity federation, and whatever else your identity provider of choice offers.

This PR goes a bit beyond the minimal possible OIDC support, but in exchange it gets to a state where all the existing behavior can still be used without disruption when opting for OIDC.

In particular:

  • Allows users to choose between password, oidc and oidc-forward authentication methods. By default, password is selected and the gonic behavior is exactly as it was before this PR.
  • When choosing OIDC authentication, the username is read from the JWT provided by the identity provider, and users are created automatically when they are first seen. A new db field is added to allow users to freely change their name and still be identified as the same user by the sub claim.
  • For new OIDC users a random password is generated and can be revealed in the UI, which can then be used for subsonic api clients. OIDC support for authorizing API access would make sense eventually, but is not part of this PR.
  • The two different flavors oidc and oidc-forward correspond to the two popular choices of deploying OIDC: one is that the app natively supports OIDC and redirects users to the identity provider itself, the other is that something external to the app (like oauth2-proxy) is handling the whole login and just forwards the obtained token which the app then reads. Which one is preferred depends heavily on the other software in use, and in the end they share 95% of the same code, so I just added support for both.
  • The check for admin-ness is a bit half-baked (only works by checking the roles claim in the token), but works for an initial implementation.

AI disclaimer

I'm not a Go developer, so most of the actual code was written by Claude. I did however work professionally on implementing OIDC support for various products, and looked over all the generated code to verify it's correct to the best of my ability.

Benno Evers added 4 commits July 13, 2025 00:33
fix(infra): add data/ to .gitignore
2875093
feat(auth): add support for OIDC authentication
e5b4f23 
Allows users to use an external OIDP identity provider for logging
into the admin interface.

For users logged in via OIDC, a random secure password is generated
and a new option to reveal the password is shown in the web interface
for use with subsonic clients.
feat(adminui): add --domain CLI variable
f23d320
docs: mention OIDC setup in the README
dcee305
@lava lava force-pushed the feature/oidc-authentication branch from 520ab00 to dcee305 Compare July 13, 2025 12:34
@Akruidenberg
Copy link

Akruidenberg commented Sep 6, 2025

Very nice to have!

@sentriz sentriz force-pushed the master branch 5 times, most recently from 7decea6 to 971d22d Compare November 11, 2025 07:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lava @Akruidenberg @sentriz