feat(auth): add option to disable built-in login when using OIDC (#1908)

* feat(auth): disable built-in login by config * cleanup config * fix(web): prevent login form flash by waiting for OIDC config * refactor(config): standardize OIDC TOML format - Adds camelCase TOML tags to OIDC config struct while keeping mapstructure tags for backward compatibility - Updates config template to use camelCase format * refactor: kyles changes * refactor: prefix disablebuiltinlogin with oidc * docs: revert format change --------- Co-authored-by: ze0s <43699394+zze0s@users.noreply.github.com>
2025-07-23 00:39:13 +00:00 · 2025-01-26 15:25:34 +01:00 · 2025-01-26 15:25:34 +01:00 · 024371e4eb
commit 024371e4eb
parent 9eff694a5f
7 changed files with 192 additions and 172 deletions
--- a/README.md
+++ b/README.md
@ -317,7 +317,7 @@ If you are not running a reverse proxy change `host` in the `config.toml` to `0.
 The following environment variables can be used:

 | Variable                               | Description                                              | Default                                  |
-|-------------------------------------|--------------------------------------|------------------------------------------|
+| -------------------------------------- | -------------------------------------------------------- | ---------------------------------------- |
 | `AUTOBRR__HOST`                        | Listen address                                           | `127.0.0.1`                              |
 | `AUTOBRR__PORT`                        | Listen port                                              | `7474`                                   |
 | `AUTOBRR__BASE_URL`                    | Base URL for reverse proxy                               | `/`                                      |
@ -341,6 +341,7 @@ The following environment variables can be used:
 | `AUTOBRR__OIDC_CLIENT_ID`              | OIDC client ID                                           | -                                        |
 | `AUTOBRR__OIDC_CLIENT_SECRET`          | OIDC client secret                                       | -                                        |
 | `AUTOBRR__OIDC_REDIRECT_URL`           | OIDC callback URL                                        | `https://baseurl/api/auth/oidc/callback` |
+| `AUTOBRR__OIDC_DISABLE_BUILT_IN_LOGIN` | Disable login form (only works when using external auth) | `false`                                  |
 | `AUTOBRR__METRICS_ENABLED`             | Enable Metrics server                                    | `false`                                  |
 | `AUTOBRR__METRICS_HOST`                | Metrics listen address                                   | `127.0.0.1`                              |
 | `AUTOBRR__METRICS_PORT`                | Metrics listen port                                      | `9074`                                   |
--- a/config.toml
+++ b/config.toml
@ -72,19 +72,22 @@ sessionSecret = "secret-session-key"
 # OpenID Connect Configuration
 #
 # Enable OIDC authentication
-#oidc_enabled = false
-
+#oidcEnabled = false
+#
 # OIDC Issuer URL (e.g. https://auth.example.com)
-#oidc_issuer = ""
-
+#oidcIssuer = ""
+#
 # OIDC Client ID
-#oidc_client_id = ""
-
+#oidcClientId = ""
+#
 # OIDC Client Secret
-#oidc_client_secret = ""
-
+#oidcClientSecret = ""
+#
 # OIDC Redirect URL (e.g. http://localhost:7474/api/auth/oidc/callback)
-#oidc_redirect_url = ""
+#oidcRedirectUrl = ""
+#
+# Disable Built In Login Form (only works when using external auth)
+#oidcDisableBuiltInLogin = false

 # Metrics
 #
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@ -26,6 +26,7 @@ type OIDCConfig struct {
 	ClientID            string
 	ClientSecret        string
 	RedirectURL         string
+	DisableBuiltInLogin bool
 	Scopes              []string
 }

@ -129,6 +130,7 @@ func NewOIDCHandler(cfg *domain.Config, log zerolog.Logger) (*OIDCHandler, error
 			ClientID:            cfg.OIDCClientID,
 			ClientSecret:        cfg.OIDCClientSecret,
 			RedirectURL:         cfg.OIDCRedirectURL,
+			DisableBuiltInLogin: cfg.OIDCDisableBuiltInLogin,
 			Scopes:              scopes,
 		},
 		provider: provider,
@ -285,24 +287,27 @@ type GetConfigResponse struct {
 	Enabled             bool   `json:"enabled"`
 	AuthorizationURL    string `json:"authorizationUrl"`
 	State               string `json:"state"`
+	DisableBuiltInLogin bool   `json:"disableBuiltInLogin"`
 }

 func (h *OIDCHandler) GetConfigResponse() GetConfigResponse {
 	if h == nil {
 		return GetConfigResponse{
 			Enabled:             false,
+			DisableBuiltInLogin: false,
 		}
 	}

 	state := generateRandomState()
 	authURL := h.oauthConfig.AuthCodeURL(state)

-	h.log.Debug().Bool("enabled", h.config.Enabled).Str("authorization_url", authURL).Str("state", state).Msg("returning OIDC config response")
+	h.log.Debug().Bool("enabled", h.config.Enabled).Str("authorization_url", authURL).Str("state", state).Bool("disable_built_in_login", h.config.DisableBuiltInLogin).Msg("returning OIDC config response")

 	return GetConfigResponse{
 		Enabled:             h.config.Enabled,
 		AuthorizationURL:    authURL,
 		State:               state,
+		DisableBuiltInLogin: h.config.DisableBuiltInLogin,
 	}
 }

--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -112,19 +112,22 @@ sessionSecret = "{{ .sessionSecret }}"
 # OpenID Connect Configuration
 #
 # Enable OIDC authentication
-#oidc_enabled = false
+#oidcEnabled = false
 #
 # OIDC Issuer URL (e.g. https://auth.example.com)
-#oidc_issuer = ""
+#oidcIssuer = ""
 #
 # OIDC Client ID
-#oidc_client_id = ""
+#oidcClientId = ""
 #
 # OIDC Client Secret
-#oidc_client_secret = ""
+#oidcClientSecret = ""
 #
 # OIDC Redirect URL (e.g. http://localhost:7474/api/auth/oidc/callback)
-#oidc_redirect_url = ""
+#oidcRedirectUrl = ""
+#
+# Disable Built In Login Form (only works when using external auth)
+#oidcDisableBuiltInLogin = false

 # Metrics
 #
@ -432,6 +435,10 @@ func (c *AppConfig) loadFromEnv() {
 		c.Config.OIDCRedirectURL = v
 	}

+	if v := os.Getenv(prefix + "OIDC_DISABLE_BUILT_IN_LOGIN"); v != "" {
+		c.Config.OIDCDisableBuiltInLogin = strings.EqualFold(strings.ToLower(v), "true")
+	}
+
 	if v := os.Getenv(prefix + "METRICS_ENABLED"); v != "" {
 		c.Config.MetricsEnabled = strings.EqualFold(strings.ToLower(v), "true")
 	}
--- a/internal/domain/config.go
+++ b/internal/domain/config.go
@ -29,12 +29,13 @@ type Config struct {
 	ProfilingEnabled        bool   `toml:"profilingEnabled"`
 	ProfilingHost           string `toml:"profilingHost"`
 	ProfilingPort           int    `toml:"profilingPort"`
-	OIDCEnabled           bool   `mapstructure:"oidc_enabled"`
-	OIDCIssuer            string `mapstructure:"oidc_issuer"`
-	OIDCClientID          string `mapstructure:"oidc_client_id"`
-	OIDCClientSecret      string `mapstructure:"oidc_client_secret"`
-	OIDCRedirectURL       string `mapstructure:"oidc_redirect_url"`
-	OIDCScopes            string `mapstructure:"oidc_scopes"`
+	OIDCEnabled             bool   `toml:"oidcEnabled" mapstructure:"oidc_enabled"`
+	OIDCIssuer              string `toml:"oidcIssuer" mapstructure:"oidc_issuer"`
+	OIDCClientID            string `toml:"oidcClientId" mapstructure:"oidc_client_id"`
+	OIDCClientSecret        string `toml:"oidcClientSecret" mapstructure:"oidc_client_secret"`
+	OIDCRedirectURL         string `toml:"oidcRedirectUrl" mapstructure:"oidc_redirect_url"`
+	OIDCScopes              string `toml:"oidcScopes" mapstructure:"oidc_scopes"`
+	OIDCDisableBuiltInLogin bool   `toml:"oidcDisableBuiltInLogin" mapstructure:"disable_built_in_login"`
 	MetricsEnabled          bool   `toml:"metricsEnabled"`
 	MetricsHost             string `toml:"metricsHost"`
 	MetricsPort             int    `toml:"metricsPort"`
--- a/web/src/api/APIClient.ts
+++ b/web/src/api/APIClient.ts
@ -262,10 +262,10 @@ export const APIClient = {
      { body: req }),
    getOIDCConfig: async () => {
      try {
-        return await appClient.Get<{ enabled: boolean; authorizationUrl: string; state: string }>("api/auth/oidc/config");
+        return await appClient.Get<{ enabled: boolean; authorizationUrl: string; state: string; disableBuiltInLogin: boolean }>("api/auth/oidc/config");
      } catch (error: unknown) {
        if (error instanceof Error && error.message?.includes('404')) {
-          return { enabled: false, authorizationUrl: '', state: '' };
+          return { enabled: false, authorizationUrl: '', state: '', disableBuiltInLogin: false };
        }
        throw error;
      }
--- a/web/src/screens/auth/Login.tsx
+++ b/web/src/screens/auth/Login.tsx
@ -140,10 +140,12 @@ export const Login = () => {
        </h2>
      </div>

+      {/* Wait for OIDC config to load before rendering any login forms */}
+      {typeof oidcConfig !== 'undefined' && (
        <div className="mt-10 sm:mx-auto sm:w-full sm:max-w-[480px]">
-        <div className={`px-6 ${!canOnboard ? 'py-12 bg-white dark:bg-gray-800 shadow sm:rounded-lg sm:px-12 border border-gray-150 dark:border-gray-775' : ''}`}>
-          {/* Only show regular login form if onboarding is not available */}
-          {!canOnboard && (
+          <div className={`px-6 ${(!canOnboard && (!oidcConfig?.enabled || !oidcConfig?.disableBuiltInLogin)) ? 'py-12 bg-white dark:bg-gray-800 shadow sm:rounded-lg sm:px-12 border border-gray-150 dark:border-gray-775' : ''}`}>
+            {/* Built-in login form */}
+            {!canOnboard && (!oidcConfig?.enabled || !oidcConfig?.disableBuiltInLogin) && (
              <>
                <form onSubmit={handleSubmit(onSubmit)} className="space-y-6">
                  <TextInput<LoginFormFields>
@ -202,9 +204,9 @@ export const Login = () => {
              </>
            )}

-          {/* OIDC login button */}
+            {/* OIDC button */}
            {oidcConfig?.enabled && (
-            <div className={!canOnboard ? 'mt-6' : ''}>
+              <div className={(!canOnboard && !oidcConfig?.disableBuiltInLogin) ? 'mt-6' : ''}>
                <button
                  type="button"
                  onClick={handleOIDCLogin}
@ -217,6 +219,7 @@ export const Login = () => {
            )}
          </div>
        </div>
+      )}
    </div>
  );
 };