Implement (optional) SSO via OIDC (OpenID Connect) (#64)

This implements optional SSO via OIDC for logging in and signing up (for the first admin sign up or if sign up is allowed). The most requested feature! Tested with Authentik and Google! It includes a new `SimpleCache` interface (in-memory, using [`caches`](https://developer.mozilla.org/en-US/docs/Web/API/Window/caches)) for storing the state and code challenges. Closes #13
2025-06-05 18:10:40 +01:00
parent cabc18f15d
commit aa18dcdb4e
14 changed files with 490 additions and 22 deletions
--- a/lib/types.ts
+++ b/lib/types.ts
@@ -163,6 +163,14 @@ export interface Config {
    allowedCookieDomains: string[];
    /** If true, the cookie domain will not be strictly set and checked against. This skipping slightly reduces security, but is usually necessary for reverse proxies like Cloudflare Tunnel. */
    skipCookieDomainSecurity: boolean;
+    /** If true, single sign-on will be enabled */
+    enableSingleSignOn: boolean;
+    /** The Discovery URL (AKA Issuer) of the identity/single sign-on provider */
+    singleSignOnUrl: string;
+    /** The attribute to prefer as email of the identity/single sign-on provider */
+    singleSignOnEmailAttribute: string;
+    /** The scopes to request from the identity/single sign-on provider */
+    singleSignOnScopes: string[];
  };
  files: {
    /** The root-relative root path for files, i.e. "data-files" */