Skip to content

[Feature] Add SSO login via OIDC (Authentik)#2801

Open
MrHDOLEK wants to merge 2 commits into
alexjustesen:2.xfrom
MrHDOLEK:sso
Open

[Feature] Add SSO login via OIDC (Authentik)#2801
MrHDOLEK wants to merge 2 commits into
alexjustesen:2.xfrom
MrHDOLEK:sso

Conversation

@MrHDOLEK

@MrHDOLEK MrHDOLEK commented May 31, 2026

Copy link
Copy Markdown

📃 Description

Adds optional Single Sign-On (OpenID Connect) to the admin panel, built on Laravel Socialite + SocialiteProviders. The first bundled provider is Authentik, but the implementation is
provider-agnostic: providers are declared in config/sso.php (driver, label, icon, scopes, token endpoint), so additional OIDC providers can be added without touching the auth flow.

Everything is configurable from the UI through a new admin-only Settings → Single Sign-On page — no redeploy required. When enabled, a “Sign in with …” button appears under the
login form; password login stays available as a fallback. Settings can optionally be overridden via environment variables for image/compose-based deployments.

Key capabilities:

  • UI configuration: provider, base URL, client ID, client secret (stored encrypted), scopes, custom button label, and a read-only redirect URI to register in the IdP, plus a Test
    connection button (validates reachability + client credentials against the provider token endpoint).
  • User provisioning: optional just-in-time account creation on first login, and optional linking of an SSO identity to an existing local account when the provider reports a
    verified, matching email.
  • Role mapping: derive the application role from IdP group membership (configurable groups claim + admin groups), with a default role fallback.
  • Schema: users.sso_provider + users.sso_id columns with a unique index.

Tested with Authentik. Closes #1530.

🪵 Changelog

➕ Added

  • Single Sign-On (OpenID Connect) login for the admin panel via Laravel Socialite, with a provider-agnostic config layer (config/sso.php) — Authentik provider included.
  • New admin-only Settings → Single Sign-On page: enable toggle, connection settings (provider, base URL, client ID/secret, scopes, button label, redirect URI), and a Test connection
    action.
  • “Sign in with <provider>” button injected after the login form (password login remains available).
  • User provisioning: auto-create users on first SSO login, and opt-in linking to an existing account by verified email.
  • Role mapping from IdP groups (configurable groups claim + admin groups) and a configurable default role.
  • Environment-variable overrides: SSO_ENABLED, SSO_PROVIDER, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_BASE_URL, SSO_SCOPES.
  • sso_provider / sso_id columns on users (unique index); encrypted client secret via spatie/laravel-settings.
  • Feature tests: SSO routes, callback/provisioning flow, and settings page.
  • Dependencies: laravel/socialite, socialiteproviders/authentik.

✏️ Changed

  • User model: added sso_provider and sso_id to fillable attributes.
  • Filament login screen renders SSO provider buttons via the AUTH_LOGIN_FORM_AFTER render hook.

📷 Screenshots

If this PR has any UI/UX changes it's strongly suggested you add screenshots here.

image Zrzut ekranu 2026-06-2 o 13 25 16 Zrzut ekranu 2026-06-2 o 13 25 28

@MrHDOLEK MrHDOLEK requested a review from alexjustesen as a code owner May 31, 2026 23:23
@PyGuy-Programming

Copy link
Copy Markdown

when is it comming? i need it!!

@PyGuy-Programming

Copy link
Copy Markdown

@alexjustesen please merge, i need sso!!

@smazurov

Copy link
Copy Markdown

any thoughts on merging this, @alexjustesen?

@MrHDOLEK

Copy link
Copy Markdown
Author

@alexjustesen please merge, i need sso!!

Please check this project because i have same problems and i needed the same . https://github.com/MrHDOLEK/NetPulse

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants