feat(auth): implement auth proxy support with OpenID Connect (#1853)

* feat(auth): implement oidc * refactor(auth): centralize OIDC state cookie handling * fix(web): resolve unused error variables in route handlers * docs(readme): add OIDC authentication feature to list * fix(auth): improve OIDC cookie handling for reverse proxy setups The OIDC state cookie's Secure flag is now properly set when running behind a reverse proxy by checking both direct TLS and X-Forwarded-Proto header. This fixes authentication issues in common setups where: - autobrr runs behind a reverse proxy that terminates HTTPS - local development environments without TLS - mixed protocol environments (internal HTTP, external HTTPS) * fix: use crypt/random if argon2id fails * feat(auth): show both login options when user exists in db if user doesn't exist, e.g. canOnboard=true then we only show the OIDC button, since regular login makes no sense in that case If user does not exist in db and the user wants to create a local user, OIDC needs to be disabled first * feat(auth): improve OIDC provider initialization with discovery logging * revert(issuer): do not remove trailing slash * feat(auth): improve OIDC username resolution with additional claims * fix(auth): handle OIDC issuer URLs with and without trailing slashes When initializing the OIDC provider, automatically retry with/without trailing slash if the first attempt fails. - First attempts with original issuer URL - If fails with trailing slash, retries without - If fails without trailing slash, retries with * feat(oidc): add gorilla sessions store for secure state management Add gorilla sessions store to handle encrypted state cookies in OIDC flow, while removing redundant session validation checks Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com> * fix(auth): prevent duplicate OIDC state cookies for authenticated sessions Modify OIDC config handler to check for existing authenticated sessions before setting state cookie. Still returns OIDC enabled status to maintain UI state, but prevents unnecessary cookie creation for authenticated users. * feat(oidc): use random secret for temporary state cookies Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com> * feat(auth): add rate limiting to OIDC endpoints Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com> * fix(auth): validate OIDC authorization code presence in callback Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com> * fix(auth): properly handle OIDC session errors Improve error handling in OIDC login flow by properly handling cookie store session errors. Return HTTP 500 if session cannot be retrieved instead of silently continuing with potentially invalid state. Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com> * feat(auth): track and display authentication method for oidc and password logins * fix: tests * docs(readme): add environment variable section * go mod tidy * chore: log style and errors --------- Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com> Co-authored-by: ze0s <ze0s@riseup.net>
2025-07-22 16:29:12 +00:00 · 2024-12-19 14:41:31 +01:00 · 2024-12-19 14:41:31 +01:00 · 43c28fc0c6
commit 43c28fc0c6
parent 80423d6273
19 changed files with 893 additions and 130 deletions
--- a/README.md
+++ b/README.md
@ -30,6 +30,7 @@ Full documentation can be found at [https://autobrr.com](https://autobrr.com)
   - [Windows](#windows)
   - [MacOS](#macos)
   - [Linux Generic](#linux-generic)
+   - [Environment Variables](#environment-variables)
 4. [Community](#community)
 5. [Contributing](#contributing)
 6. [Code of Conduct](#code-of-conduct)
@ -70,6 +71,7 @@ qBittorrent, Deluge, r(u)Torrent and Transmission. You don't need to use the *ar
  Windows, macOS) on different architectures (e.g. x86, ARM)
 - Great container support (Docker, k8s/Kubernetes)
 - Database engine supporting both PostgreSQL and SQLite
+- Authentication support including built-in auth and OpenID Connect (OIDC)
 - Notifications (Discord, Telegram, Notifiarr, Pushover, Gotify)
 - One autobrr instance can communicate with multiple clients (torrent, Usenet and \*arr) on remote servers
 - Base path / Subfolder (and subdomain) support for convenient reverse-proxy support
@ -310,6 +312,36 @@ or [traefik](https://autobrr.com/installation/docker#traefik).

 If you are not running a reverse proxy change `host` in the `config.toml` to `0.0.0.0`.

+### Environment Variables
+
+The following environment variables can be used:
+
+| Variable                         | Description                          | Default                                  |
+| -------------------------------- | ------------------------------------ | ---------------------------------------- |
+| `AUTOBRR__HOST`                  | Listen address                       | `127.0.0.1`                              |
+| `AUTOBRR__PORT`                  | Listen port                          | `7474`                                   |
+| `AUTOBRR__BASE_URL`              | Base URL for reverse proxy           | `/`                                      |
+| `AUTOBRR__LOG_LEVEL`             | Log level (DEBUG, INFO, WARN, ERROR) | `INFO`                                   |
+| `AUTOBRR__LOG_PATH`              | Log file location                    | `/config/logs`                           |
+| `AUTOBRR__LOG_MAX_SIZE`          | Max size in MB before rotation       | `10`                                     |
+| `AUTOBRR__LOG_MAX_BACKUPS`       | Number of rotated logs to keep       | `5`                                      |
+| `AUTOBRR__SESSION_SECRET`        | Random string for session encryption | -                                        |
+| `AUTOBRR__CUSTOM_DEFINITIONS`    | Path to custom indexer definitions   | -                                        |
+| `AUTOBRR__CHECK_FOR_UPDATES`     | Enable update checks                 | `true`                                   |
+| `AUTOBRR__DATABASE_TYPE`         | Database type (sqlite/postgres)      | `sqlite`                                 |
+| `AUTOBRR__POSTGRES_HOST`         | PostgreSQL host                      | -                                        |
+| `AUTOBRR__POSTGRES_PORT`         | PostgreSQL port                      | `5432`                                   |
+| `AUTOBRR__POSTGRES_DATABASE`     | PostgreSQL database name             | -                                        |
+| `AUTOBRR__POSTGRES_USER`         | PostgreSQL username                  | -                                        |
+| `AUTOBRR__POSTGRES_PASS`         | PostgreSQL password                  | -                                        |
+| `AUTOBRR__POSTGRES_SSLMODE`      | PostgreSQL SSL mode                  | `disable`                                |
+| `AUTOBRR__POSTGRES_EXTRA_PARAMS` | Additional PostgreSQL parameters     | -                                        |
+| `AUTOBRR__OIDC_ENABLED`          | Enable OpenID Connect authentication | `false`                                  |
+| `AUTOBRR__OIDC_ISSUER`           | OIDC issuer URL                      | -                                        |
+| `AUTOBRR__OIDC_CLIENT_ID`        | OIDC client ID                       | -                                        |
+| `AUTOBRR__OIDC_CLIENT_SECRET`    | OIDC client secret                   | -                                        |
+| `AUTOBRR__OIDC_REDIRECT_URL`     | OIDC callback URL                    | `https://baseurl/api/auth/oidc/callback` |
+
 ## Community

 Join our friendly and welcoming community on [Discord](https://discord.gg/WQ2eUycxyT)! Connect with fellow autobrr users, get advice, and share your experiences. Whether you're seeking help, wanting to contribute, or just looking to discuss your ideas, our community is a hub of discussion and support. We're all here to help each other out, so don't hesitate to jump in!