gotify
diff --git a/‎api/oidc.go‎
Lines changed: 149 additions & 0 deletions b/‎api/oidc.go‎
Lines changed: 149 additions & 0 deletions
diff --git a/‎config.example.yml‎
Lines changed: 7 additions & 0 deletions b/‎config.example.yml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎config/config.go‎
Lines changed: 10 additions & 0 deletions b/‎config/config.go‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 21 additions & 6 deletions b/‎go.mod‎
Lines changed: 21 additions & 6 deletions
@@ -0,0 +1,149 @@
+package api
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"log"
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/gotify/server/v2/auth"
+	"github.com/gotify/server/v2/config"
+	"github.com/gotify/server/v2/database"
+	"github.com/gotify/server/v2/model"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+)
+
+func NewOIDC(conf *config.Configuration, db *database.GormDatabase, userChangeNotifier *UserChangeNotifier) *OIDCAPI {
+	scopes := conf.OIDC.Scopes
+	if len(scopes) == 0 {
+		scopes = []string{"openid", "profile", "email"}
+	}
+
+	cookieKey := make([]byte, 32)
+	if _, err := rand.Read(cookieKey); err != nil {
+		log.Fatalf("failed to generate OIDC cookie key: %v", err)
+	}
+	cookieHandlerOpt := []httphelper.CookieHandlerOpt{}
+	if !conf.Server.SecureCookie {
+		cookieHandlerOpt = append(cookieHandlerOpt, httphelper.WithUnsecure())
+	}
+	cookieHandler := httphelper.NewCookieHandler(cookieKey, cookieKey, cookieHandlerOpt...)
+
+	opts := []rp.Option{rp.WithCookieHandler(cookieHandler)}
+	if conf.OIDC.Pkce {
+		opts = append(opts, rp.WithPKCE(cookieHandler))
+	}
+
+	provider, err := rp.NewRelyingPartyOIDC(
+		context.Background(),
+		conf.OIDC.Issuer,
+		conf.OIDC.ClientID,
+		conf.OIDC.ClientSecret,
+		conf.OIDC.RedirectURL,
+		scopes,
+		opts...,
+	)
+	if err != nil {
+		log.Fatalf("failed to initialize OIDC provider: %v", err)
+	}
+
+	return &OIDCAPI{
+		DB:                 db,
+		Provider:           provider,
+		UserChangeNotifier: userChangeNotifier,
+		UsernameClaim:      conf.OIDC.UsernameClaim,
+		PasswordStrength:   conf.PassStrength,
+		SecureCookie:       conf.Server.SecureCookie,
+	}
+}
+
+// OIDCAPI provides handlers for OIDC authentication.
+type OIDCAPI struct {
+	DB                 *database.GormDatabase
+	Provider           rp.RelyingParty
+	UserChangeNotifier *UserChangeNotifier
+	UsernameClaim      string
+	PasswordStrength   int
+	SecureCookie       bool
+}
+
+// LoginHandler redirects the user to the OIDC provider's authorization endpoint.
+func (a *OIDCAPI) LoginHandler() gin.HandlerFunc {
+	return gin.WrapF(func(w http.ResponseWriter, r *http.Request) {
+		clientName := r.URL.Query().Get("name")
+		if clientName == "" {
+			http.Error(w, "invalid client name", http.StatusBadRequest)
+			return
+		}
+		nonce := make([]byte, 20)
+		if _, err := rand.Read(nonce); err != nil {
+			http.Error(w, "failed to generate state nonce", http.StatusInternalServerError)
+			return
+		}
+		state := clientName + ":" + hex.EncodeToString(nonce)
+		stateFunc := func() string { return state }
+		rp.AuthURLHandler(stateFunc, a.Provider)(w, r)
+	})
+}
+
+// CallbackHandler handles the OIDC provider callback after authentication.
+func (a *OIDCAPI) CallbackHandler() gin.HandlerFunc {
+	callback := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[*oidc.IDTokenClaims], state string, provider rp.RelyingParty, info *oidc.UserInfo) {
+		usernameRaw, ok := info.Claims[a.UsernameClaim]
+		if !ok {
+			http.Error(w, fmt.Sprintf("username claim %q is missing", a.UsernameClaim), http.StatusInternalServerError)
+			return
+		}
+
+		username := fmt.Sprint(usernameRaw)
+		if username == "" || usernameRaw == nil {
+			http.Error(w, "Username claim was empty", http.StatusInternalServerError)
+			return
+		}
+
+		user, err := a.DB.GetUserByName(username)
+		if err != nil {
+			http.Error(w, "database error", http.StatusInternalServerError)
+			return
+		}
+
+		if user == nil {
+			user = &model.User{Name: username, Admin: false, Pass: nil}
+			if err := a.DB.CreateUser(user); err != nil {
+				http.Error(w, "failed to create user", http.StatusInternalServerError)
+				return
+			}
+			if err := a.UserChangeNotifier.fireUserAdded(user.ID); err != nil {
+				log.Println("Could not notify user change")
+				// Don't abort here, it's likely some plugin misbehaving.
+			}
+		}
+
+		token := auth.GenerateNotExistingToken(generateClientToken, func(token string) bool {
+			client, _ := a.DB.GetClientByToken(token)
+			return client != nil
+		})
+
+		clientName, _, _ := strings.Cut(state, ":")
+		client := &model.Client{
+			Name:   clientName,
+			Token:  token,
+			UserID: user.ID,
+		}
+		if err := a.DB.CreateClient(client); err != nil {
+			http.Error(w, "failed to create client", http.StatusInternalServerError)
+			return
+		}
+
+		auth.SetCookie(w, token, auth.CookieMaxAge, a.SecureCookie)
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+	}
+
+	return gin.WrapF(rp.CodeExchangeHandler(rp.UserinfoCallback(callback), a.Provider))
+}
@@ -48,6 +48,13 @@ server:
     allowedorigins: # allowed origins for websocket connections (same origin is always allowed)
 #      - ".+.example.com"
 #      - "otherdomain.com"
+oidc:
+  enabled: false # Enable OpenID Connect login, allowing users to authenticate via an external identity provider (e.g. Keycloak, Authelia, Google).
+  issuer: # The OIDC issuer URL. This is the base URL of your identity provider, used to discover endpoints. Example: "https://auth.example.com/realms/myrealm"
+  clientid: # The client ID registered with your identity provider for this application.
+  clientsecret: # The client secret for the registered client. May be omitted if using a public client with PKCE.
+  redirecturl: http://gotify.example.org/auth/oidc/callback # The callback URL that the identity provider redirects to after authentication. Must match exactly what is configured in your identity provider.
+  pkce: true # If PKCE should be used. https://oauth.net/2/pkce/
 
 database: # for database see (configure database section)
   dialect: sqlite3
 
@@ -56,6 +56,16 @@ type Configuration struct {
 	UploadedImagesDir string `default:"data/images"`
 	PluginsDir        string `default:"data/plugins"`
 	Registration      bool   `default:"false"`
+	OIDC              struct {
+		Enabled       bool   `default:"false"`
+		Issuer        string `default:""`
+		ClientID      string `default:""`
+		ClientSecret  string `default:""`
+		UsernameClaim string `default:"preferred_username"`
+		RedirectURL   string `default:""`
+		Pkce          bool   `default:"true"`
+		Scopes        []string
+	}
 }
 
 func configFiles() []string {
 
@@ -14,6 +14,7 @@ require (
 	github.com/mattn/go-isatty v0.0.20
 	github.com/robfig/cron v1.2.0
 	github.com/stretchr/testify v1.11.1
+	github.com/zitadel/oidc/v3 v3.45.5
 	golang.org/x/crypto v0.47.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.6.0
@@ -28,15 +29,21 @@ require (
 	github.com/bytedance/gopkg v0.1.3 // indirect
 	github.com/bytedance/sonic v1.14.1 // indirect
 	github.com/bytedance/sonic/loader v0.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/pgx/v5 v5.7.6 // indirect
@@ -45,27 +52,35 @@ require (
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
-	github.com/kr/text v0.2.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/muhlemmer/gu v0.3.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/quic-go/quic-go v0.55.0 // indirect
+	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.0 // indirect
+	github.com/zitadel/logging v0.7.0 // indirect
+	github.com/zitadel/schema v1.3.2 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/otel v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	golang.org/x/arch v0.22.0 // indirect
-	golang.org/x/mod v0.31.0 // indirect
-	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/mod v0.32.0 // indirect
+	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/oauth2 v0.35.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.40.0 // indirect
-	golang.org/x/text v0.33.0 // indirect
-	golang.org/x/tools v0.40.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/tools v0.41.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 )
 
-go 1.24.0
+go 1.24.10
 
 toolchain go1.26.0