[Feature Request] OAuth authentication

[Steeven9]

The docs mention that you can log in with Jellyfin, but why not take this one step further and allow to register your own OAuth 2.0 provider for SSO?
For example, one might have a local Keycloak instance set up, or want to use their Google account.

[IRHM]

Hey @Steeven9, thanks for opening this issue!

We can definitely look into this at some point, there's quite a bit of other tasks ahead of this, so I'm not sure when I'll be able to look at it. If you or someone else would like to, feel free!

I have never hosted/used my own instance of a oauth/sso provider, hopefully they are all the same so we can just add generic setting that you could use for any service.

[Steeven9]

Thanks for the quick reply! I unfortunately have never implemented an SSO login, only configured a few so far :)

Thankfully OAuth/OIDC is a pretty vastly used and well-documented standard so it shouldn't be too hard to find some libraries/examples to implement it, for example https://authjs.dev

[mgrimace]

I'm jumping in to speak in support of this, specifically for Authentik support. Ideally, to allow reverse proxy authentication by header.

I have setup NPM proxy, with Authentik for authentication sitting before Watcharr and other services. So every time I open Watcharr's webui, NPM redirects it to Authentik for authentication. Authentik can use Plex as an SSO, and would ideally pass on the user and other related proxy authentication headers to Watcharr. If there is already a user with the same username, Watcharr would then automatically login in the user without requiring it's own login screen.

The benefit of this is that I can use secure athentication service, and I wouldn't have to login twice - if that makes sense.

AFAIK Authentik uses the header X-authentik-username, which is how I accomplish this in Calibre-web.