[REQUEST] Add OIDC Authentication

[CygnusHyoga]

The problem you currently have with this project

When use SSO , for example in my case with traefik forward auth with Authentik (or any other sso), if we can't disable auth (https://github.com/seriousm4x/UpSnap/issues/60), It will be nice to add another mechanism of authentication.

Describe the solution you'd like

Add OIDC to UpSnap to be friendly authenticate with a SSO.

Thanks!

[seriousm4x]

Hi, as far as i know this should already work. Head over to the backend at localhost:8090/_/, then:

• login
• Settings (wrench on the left)
• Auth providers
• Choose OpenID Connect

I've never used OIDC, so I hope this just works :)

[CygnusHyoga]

Thanks for the reply!! I will test it, and come back to post details :-)

[CygnusHyoga]

I can configure the OpenID Connect (oidc) in the admin panel and in the SSO, without a problem, but when I try to login in the login page of upsnap the oidc provider not appear.

In the the docs of pocketbase about oauth provider, we can make an ALL-IN-ONE integration: https://pocketbase.io/docs/authentication#oauth2-integration

It's possible to add this in the source code? For example with a provider as a variable to support any provider of pocketbase:

... const authData = await pb.collection('users').authWithOAuth2({ provider: '$customvariable' }); ...

Maybe can pass the variable as environment variable in docker, so we can configure any provider we want (that is support by pocketbase)? It would be nice to configure the provider with docker env values too, to make it easy, and we don't have to configure in the admin panel.

Thanks again! I really like upsnap :-)

[seriousm4x]

The problem with OAuth2 is that anyone can just log in and get access. Anyone can log in with their Google account and have access to the dashboard. I wanted to avoid that, so only authorized users get access, therefore only user/password.

I can still create an environment variable for it, which will change the login form to OAuth2. You should only do this if you are aware of what I just wrote. In the home network this is completely safe, but other people might use this in their company.

[CygnusHyoga]

I agree with what you say and the security risks, I had not thought about it from that point of view.

Although perhaps it would be convenient to enable it only for OIDC, and not for ALL providesr via variable? OIDC can be private, like any internal SSO (home or corporate).

... const authData = await pb.collection('users').authWithOAuth2({ provider: 'oidc' }); ...

[seriousm4x]

I've added a button below the login form Login with OIDC. Pocketbase only allows OAuth for users, so OIDC is not available for admins. Make sure to have OIDC setup in http://localhost:8090/_/#/settings/auth-providers and it should work.

I've not tested this since I don't have an OIDC instance to test. @CygnusHyoga let me know if it works for you with the latest beta 3.3.0-beta.2

[CygnusHyoga]

I've tested the beta, I configure the SSO (authentik) and PocketBase OIDC provider with the correct SSO urls. I configure the ca-certs of the SSO inside the containers (private self signed authentik).

I can see the button, the button launch the authentication with the SSO/OIDC in a new windows, I can enter the credentials, I can authenticate with the SSO from upsnap, but after this steps, upsnap login page give this error:

400 Failed to authenticate.

And in the logs of PocketBase:

{ "errorDetails": "Failed create rule constraint: Only admins can create new accounts with OAuth2", "errorMessage": "Failed to authenticate." }

Any ideas?

[seriousm4x]

I see what the problem is. Pocketbase has api rules to control permissions. The create rule is currently set to admin only which only allows admins to create new users.

In your case a new user trys to signup on its own, which fails, because he is not allowed to.

Allowing everyone to create new users would result in the problem we had before. Everyone can signup and login. I've created a discussion to see if its possible to deny signup via user/password but still allow signup via oauth2.

[seriousm4x]

Well, he instantly came up with a working solution. I've tried it with Twitch as a provider which worked for me, so OIDC should work as well.

Please try again with 3.3.0-beta.3

[CygnusHyoga]

I've tested 3.3.0-beta.3 and OIDC works perfect!!!! Thanks!!!