[GH-ISSUE #590] [Feature]: OpenID Connect / OAuth2 Integration (e.g., Authentik) #387

New issue

Closed

opened 2026-05-06 12:28:59 +02:00 by BreizhHardware · 1 comment

BreizhHardware commented

2026-05-06 12:28:59 +02:00

Owner

Originally created by @kgelinas on GitHub (Mar 4, 2026).
Original GitHub issue: https://github.com/maziggy/bambuddy/issues/590

Originally assigned to: @maziggy on GitHub.

Problem or Use Case

Currently, managing local credentials for another service adds administrative overhead and increases the "password fatigue" for users.
As my self-hosted lab grows, I’m moving toward a centralized identity provider—specifically Authentik—to handle authentication across all my applications.

Without OIDC support, I'm unable to:

Enforce Single Sign-On (SSO) across my dashboard and Bambuddy.
Utilize Multi-Factor Authentication (MFA) policies defined in my central identity provider.
Automatically provision or manage user access without creating manual accounts within Bambuddy.

Proposed Solution

I suggest implementing OpenID Connect (OIDC) support.
This would allow Bambuddy to delegate authentication to providers like Authentik, Authelia, or Keycloak.

Key features for this integration would ideally include:

Configurable OIDC Endpoints: Fields for Client ID, Client Secret, and Discovery URL (well-known endpoint).
Attribute Mapping: The ability to map OIDC claims (like preferred_username or email) to Bambuddy user profiles.
Optional "Login with OIDC" button: A toggle on the login page to redirect users to the provider.

This addition would make Bambuddy significantly more "enterprise-ready" and user-friendly for those of us running a consolidated home lab or small business environment.

Alternatives Considered

Manual User Management: Continuing to create and manage local users within Bambuddy. This is difficult to scale and doesn't support central MFA policies.
Reverse Proxy Auth (e.g., Traefik/Nginx with Forward Auth): While this can protect the application behind a login gate, it often doesn't integrate with the application’s internal user profiles or permissions, leading to a "double login" or lack of user-specific context within the app itself.

Feature Category

Print Archiving

Priority

Nice to have

Mockups or Examples

No response

Contribution

I would be willing to help implement this feature

Checklist

I have searched existing issues to ensure this feature hasn't already been requested

Originally created by @kgelinas on GitHub (Mar 4, 2026). Original GitHub issue: https://github.com/maziggy/bambuddy/issues/590 Originally assigned to: @maziggy on GitHub. ### Problem or Use Case Currently, managing local credentials for another service adds administrative overhead and increases the "password fatigue" for users. As my self-hosted lab grows, I’m moving toward a centralized identity provider—specifically Authentik—to handle authentication across all my applications. Without OIDC support, I'm unable to: - Enforce Single Sign-On (SSO) across my dashboard and Bambuddy. - Utilize Multi-Factor Authentication (MFA) policies defined in my central identity provider. - Automatically provision or manage user access without creating manual accounts within Bambuddy. ### Proposed Solution I suggest implementing OpenID Connect (OIDC) support. This would allow Bambuddy to delegate authentication to providers like Authentik, Authelia, or Keycloak. Key features for this integration would ideally include: - Configurable OIDC Endpoints: Fields for Client ID, Client Secret, and Discovery URL (well-known endpoint). - Attribute Mapping: The ability to map OIDC claims (like preferred_username or email) to Bambuddy user profiles. - Optional "Login with OIDC" button: A toggle on the login page to redirect users to the provider. This addition would make Bambuddy significantly more "enterprise-ready" and user-friendly for those of us running a consolidated home lab or small business environment. ### Alternatives Considered - Manual User Management: Continuing to create and manage local users within Bambuddy. This is difficult to scale and doesn't support central MFA policies. - Reverse Proxy Auth (e.g., Traefik/Nginx with Forward Auth): While this can protect the application behind a login gate, it often doesn't integrate with the application’s internal user profiles or permissions, leading to a "double login" or lack of user-specific context within the app itself. ### Feature Category Print Archiving ### Priority Nice to have ### Mockups or Examples _No response_ ### Contribution - [ ] I would be willing to help implement this feature ### Checklist - [x] I have searched existing issues to ensure this feature hasn't already been requested