[Feature Request] Support for SSO

[solarssk]

Describe the bug The application does not allow you to log in to the Paperless server using the Authentik single sign-on system.

To Reproduce Steps to reproduce the behavior:

1. Open application
2. Enter the Paperless https server address
3. In place of login and password, enter any value
4. You will receive a login error message

Expected behavior

1. Entering the address to the Paperless server
2. The application detects whether the login occurs with local users or whether it is a login from the SSO system
3. In the case of detection of a single sign-on system, deactivates the password and login entry fields - in this place appears the key "Login via SSO"
4. Opens an additional window to log in with our identity provider - in this case Authentik,
5. After successful login, the window closes - and the application allows you to move on to full use.

Environment(please complete the following information):

• Device: macOS
• OS: Sonoma
• Version 14.2.1
• Server Version (if applicable): Paperless v2.3.2

Additional context is there any possibility or opportunity to change this issue to a feature so that there is a possibility to use it together with SSO?

[LeoKlaus]

Hey Filip, thanks for reaching out.

Can you add some detail to how authentication works in your case? AFAIK, there's no official support for SSO with Paperless, so there's not the "one" way in which SSO would work.

Different users will have different setups, even using different proxies, so I don't think there's a way to reliably determine the SSO configuration. A button "Log in with identity provider" is probably not going to work.

Paperparrot already offers to add additional headers with each request. You might be able to use these to authenticate with your proxy.

[solarssk]

Hey Leo - thanks for quick response! iI my configuration the situation is as follows:

• I have been using SSO from Authentik, version 2023.10
• https://goauthentik.io/integrations/services/paperless-ng/ How to configure Paperless is described in the following link.

I guess that there are many services on the market - the question is whether we are able to adapt in some simple way to the existence of such a way of logging, without the need for various additional headers.

I noticed, of course, a rather interesting problem when discussing contributors to the implementation of oAuth2 - and currently the lack of support for it.

[JimTim]

I using Oauth2-proxy instead of Authentik on my setup before paperless-ngx. At this point, paperparrot no longer works with it.

I found the app Less Paper in the App Store and it seems to at least get the redirect to Google and then display an additional web window where the OAuth2 proxy flow is displayed.

Unfortunately, I haven't gotten any further yet, as my configuration of the OAuth2 proxy is still fresh and Google doesn't yet know my redirect uri.

However, I would then assume that the session cookie, which oauth2-proxy would also store in the browser, would be made known to the app and thus the Oauth2-proxy would be skipped and normal authentication with Paperless would work.

I can send you a corresponding screencast by e-mail.

The feature is also important for me because I want to connect Paperparrot to a publicly accessible Paperless instance. However, this should at least be secured via 2FA. Paperless does not offer this function, so I always use OAuth2-proxy for this. And the previous speaker certainly has the same motivation and therefore uses Authentik.

[JimTim]

Hey Leo, I have send you a screencast with a working login in "Less Paper". I assume now the web session cookie is stored internally in the application and the "normal" paperless authentication workflow is working. This would be a great improvement aka feature request and I would heavily vote for it :-)

[LeoKlaus]

I totally get why this is important, but I don't know how to implement this.

Different auth proxies will behave very differently in regards to authentication. Using cookies for auth is very tricky, as those usually are rather short-lived compared to something like an auth token. Having to re-authenticate every other day would make for a terrible user experience.

You should be able to access an instance behind Authentik and other proxies by authenticating with them via headers. I can't help you with this though.

@JimTim where did you send the screencast?

[JimTim]

Nevermind, I have now send you the screencast to contact@paperparrot.me. Please use this video privately :-)

[LeoKlaus]

Nevermind, I have now send you the screencast to contact@paperparrot.me. Please use this video privately :-)

Thanks, I've already deleted the mail ;)

I'll see what I can do. Might take I while though, I'm due for exams in the next couple of weeks.

[JimTim]

Maybe you could reach out the developer behind Less Paper. I have found a discussion which references Less Paper and his developer https://github.com/paperless-ngx/paperless-ngx/discussions/4553

FYI: https://github.com/paperless-ngx/paperless-ngx/discussions/4553#discussioncomment-7664966

[JimTim]

These are my cookies after login. I will test Less Paper after 17.01.2024 and will inform you, if I have to login again.

[koseduhemak]

Would also highly appreciate SSO capabilities / support for forward-auth :).

[solarssk]

Hello

I noticed that for the upcoming release there is an implementation of single sign-on OIDC - so will it be possible to count on (after the documentation is published and implemented for use) to adapt this in the application?

https://github.com/paperless-ngx/paperless-ngx/pull/5190

[LeoKlaus]

Hello

I noticed that for the upcoming release there is an implementation of single sign-on OIDC - so will it be possible to count on (after the documentation is published and implemented for use) to adapt this in the application?

paperless-ngx/paperless-ngx#5190

Looks great. I can't promise anything but something that's properly integrated with Paperless is definitely a lot easier to work with than the multitude of possible configurations with 3rd party auth.

[solarssk]

If all goes well, for my part I can assure you of creating a tutorial for my blog on how to configure paperless to work with your application. :)

[Rustymage]

The commit has been merged into the dev branch - https://github.com/paperless-ngx/paperless-ngx/commit/c508be6ecd417863b87662fa664952e97487e41c

[koseduhemak]

It was officially released with 2.5.0: https://github.com/paperless-ngx/paperless-ngx/releases/tag/v2.5.0 would be really nice, if Paperparrot would also support OIDC :)

[LeoKlaus]

It was officially released with 2.5.0: https://github.com/paperless-ngx/paperless-ngx/releases/tag/v2.5.0 would be really nice, if Paperparrot would also support OIDC :)

I've set this up on my test instance and am seeing what I can do. I've never implemented OIDC before and it is a rather complex process. Paperparrot currently uses individual URLSessions for different requests, which will probably cause issues with the cookies needed to authenticate. This will probably require quite extensive changes to the api handling component of Paperparrot to work even if I get authentication working. For now, it's not my highest priority as token auth with the API still works, even if you disabled the regular login.

[teambvd]

@LeoKlaus Firstly, I just want to say thank you for your work! I understand this is a project you've invested yourself in, and your passion shows.

Understanding this surely isnt the only demand on your time (not to mention, you owe us nothing and have already freely given us all an app which makes our lives simpler while asking nothing in return!), I just wanted to share my .02 as far as justification for this RFE, if at any point you find you've both the time and inclination to dig in to it any further:

I dont want to attempt to speak too broadly for others, but for myself at least, the more time I'd invested in self hosting, the more time I spent evangelizing to my family (well, offering... in the event they were struggling with commercial options or had privacy concerns over xyz, etc)

And as this all grew, it pretty quickly became apparent that at least some kind of centralized account management was a necessity. My wife and I both use all our local services, my parents and in-laws are both on the media server and use our bitwarden instance, nephews have their game server they play with, and so on... And after showing them how easy it was for me to collect my tax paperwork this year, now my parents have bit the bullet and bought a dedicated scanner to start feeding Paperless as well.

I use Authentik, but nearly all (maybe "actually all", but that seems over-broad lol) SSO providers support OIDC, so implementing support for it would make this app compatible with a myriad of auth providers. Of course theres the additional benefit of fully supporting current deployments, regardless of config - as long as the server supports (x), so does PaperParrot 🥳

Regardless of if/when you decide to take this on, you've already built a stellar application, one that anyone would be proud to show in their portfolio. Hope the exams went well!!

[Drikani]

Hey @LeoKlaus as you also implemented OIDC Login on your other application Plappa would it be possible to port this feature over to paperparrot? It should work exactly the same as there you also have OIDC integration working.

[LeoKlaus]

Hey @LeoKlaus as you also implemented OIDC Login on your other application Plappa would it be possible to port this feature over to paperparrot? It should work exactly the same as there you also have OIDC integration working.

It doesn't. I've tried. As far as I can tell, the OIDC login in Paperless is not documented beyond setup, and just calling the login URL to initiate the OIDC process never returns the callback (that is ignoring that every single OIDC provider has its own subpath in Paperless, GitHub for example is /accounts/github/login/ and there's no obvious way to check which providers are enabled for an instance), I just get redirected to a page "An error occured while attempting to login..."

I'm assuming that the OIDC implementation in Paperless only allows for callbacks to the instance URL, but I haven't checked that yet.

If you find any documentation on the OIDC process in Paperless, I'd happily try my hand.

[Drikani]

I did search for a while but did not find anything useful... There is a similar issue on the paperless-mobile repo but I do not know if this does help in any way? https://github.com/astubenbord/paperless-mobile/issues/374

As paperless runs on django in the backend I also found this issue, maybe that could be a hint for you to find out how this system works? https://github.com/pennersr/django-allauth/pull/3165

[joestump]

For anyone using the proxy provider in Authentik you can get this working by configuring "Unauthenticated Paths" in Authentik to allow /api/.* through the proxy:

You can then authenticate to Paperless with Paperparrot using the password for the user. You can set the password by logging into the web UI via SSO and setting a password in "My Profile" (upper right menu).

[LeoKlaus]

Thank you for the suggestion @joestump!

This should work for all proxy providers, Paperparrot exclusively queries the /api/ path.

[cazzoo]

Looking as well on this feature. I need to create a secondary user just for application