feat: Add SSO authentication via OAuth2/OIDC with RBAC support#5513
Open
giutrec wants to merge 1 commit intoNginxProxyManager:developfrom
Open
feat: Add SSO authentication via OAuth2/OIDC with RBAC support#5513giutrec wants to merge 1 commit intoNginxProxyManager:developfrom
giutrec wants to merge 1 commit intoNginxProxyManager:developfrom
Conversation
|
Docker Image for build 1 is available on DockerHub: Note Ensure you backup your NPM instance before testing this image! Especially if there are database changes. Warning Changes and additions to DNS Providers require verification by at least 2 members of the community! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces native support for Single Sign-On (SSO) via OAuth2 / OpenID Connect (OIDC) to Nginx Proxy Manager, allowing users to seamlessly authenticate using external Identity Providers such as Authentik, Keycloak, or Authelia.
Features Included:
OIDC Authentication Flow: Implemented a secure authorization code flow in the Node.js backend using the standard openid-client library. State and nonce are properly handled using HTTP-only cookies to prevent CSRF attacks.
Dynamic Frontend UI: The login page dynamically displays a "Sign in with SSO" button if OIDC is configured in the backend environment.
Auto-Registration & Token Handling: Automatically creates an internal NPM user upon the first successful SSO login. Token parsing and UI state management are seamlessly integrated into the React Router for a frictionless login experience.
Strict Role-Based Access Control (RBAC): Added support for dynamically mapping OIDC groups/roles to NPM user roles (Admin or Standard User). It strictly blocks access to users not belonging to the configured groups and continuously syncs user permissions upon every login, granting or revoking privileges based on the current Identity Provider state.
Configuration
The feature is entirely opt-in and controlled via environment variables:
OIDC_CLIENT_ID: "client_id"
OIDC_CLIENT_SECRET: "client_secret"
OIDC_ISSUER_URL: "https://auth.example.com/application/o/npm/"
OIDC_REDIRECT_URI: "https://npm.example.com/api/sso/callback"
Optional RBAC settings:
OIDC_GROUPS_CLAIM: "groups" # (default: groups)
OIDC_GROUP_ADMIN: "sysadmins"
OIDC_GROUP_USER: "user"
If the RBAC variables are left empty, any authenticated user will be admitted as a Standard User. If configured, users must belong to either the Admin or User group to access the application.