search

navidrome / navidrome

🎧☁️ Modern Music Server and Streamer compatible with Subsonic/Airsonic
https://www.navidrome.org
GNU General Public License v3.0
10.78k stars 812 forks source link

[feature req] add OIDC authentication + roles #858

Open andrewzah opened 3 years ago

andrewzah commented 3 years ago

https://swagger.io/docs/specification/authentication/openid-connect-discovery/

This would allow things like SSO through an external service like Keycloak, which generates .well-known automatically. A generic OIDC authenticator is preferable to service-specific logins like Google, Facebook, etc.

One way to do this would be to have multiple Authenticators, like an OIDCAuthenticator and a LocalAuthenticator, which is the current behavior. Having an option to disable the LocalAuthenticator entirely and only populate users through the OIDCAuthenticator would be preferable.

For admins: One solution is either the access token or the auth token could have a roles object, which would look for a role named admin.

deluan commented 3 years ago

Thanks! Multiple authentication backend will be implemented at some point, but the priority now is to decide how to work around the Subsonic API limitations regarding authentication: https://github.com/navidrome/navidrome/issues/202#issuecomment-797640193.

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. The resources of the Navidrome team are limited, and so we are asking for your help. If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open. If this is a feature request, and you feel that it is still relevant and valuable, please tell us why. This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.

largelyinept commented 1 year ago

Bumping this as something I'm still keen to see in Navidrome. Understand this is waiting for the revisions to the API, but very much looking forward to this.

github-actions[bot] commented 10 months ago

This issue has been automatically marked as stale because it has not had recent activity. The resources of the Navidrome team are limited, and so we are asking for your help. If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open. If this is a feature request, and you feel that it is still relevant and valuable, please tell us why. This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.

Mihara commented 10 months ago

This bot is a bit overeager, the issue is still very much relevant.

phw commented 8 months ago

Thanks! Multiple authentication backend will be implemented at some point, but the priority now is to decide how to work around the Subsonic API limitations regarding authentication: #202 (comment).

One way to handle this would be to provide separate Subsonic authentication passwords. A password could be autogenerated when a user gets created. While this password will be stored in database it would only be used for subsonic authentication and would not allow login into the UI or access anything not supported by subsonic.

The main user password could then be properly hashed.

This does not fully eliminate all risks, but limits the impact of the password. Especially for admin accounts, but also normal accounts.

andrewzah commented 8 months ago

Agreed, generating a random token for subsonic auth seems like a reasonable way to address this.

github-actions[bot] commented 2 months ago

This issue has been automatically marked as stale because it has not had recent activity. The resources of the Navidrome team are limited, and so we are asking for your help. If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open. If this is a feature request, and you feel that it is still relevant and valuable, please tell us why. This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.

onedr0p commented 2 months ago

This bot is a bit overeager, the issue is still very much relevant.

HearthCore commented 1 week ago

Indeed, SSO via OIDC is thanks to Authentik and Authelia easily embeddable.

DDriggs00 commented 6 days ago

One way this could work is using app passwords for subsonic, like nextcloud uses for Caldav when it is using OIDC.