[GH-ISSUE #489] Support for OIDC auth method #126

New issue

Open

opened 2026-05-07 00:19:12 +02:00 by BreizhHardware · 2 comments

BreizhHardware commented

2026-05-07 00:19:12 +02:00

Owner

Originally created by @e-scheer on GitHub (Jul 31, 2024).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/489

Hello,

First thank you for this excellent tool; it perfectly suits my needs and meets my current requirements. However, I noticed that there is no mention of support for OpenID Connect (OIDC) in the current documentation or feature set.

Are there any plans to add OIDC support to The Bastion in the near future? If so, is there a tentative timeline for its release? If not, could this be considered for a future enhancement?

Originally created by @e-scheer on GitHub (Jul 31, 2024). Original GitHub issue: https://github.com/ovh/the-bastion/issues/489 Hello, First thank you for this excellent tool; it perfectly suits my needs and meets my current requirements. However, I noticed that there is no mention of support for OpenID Connect (OIDC) in the current documentation or feature set. Are there any plans to add OIDC support to The Bastion in the near future? If so, is there a tentative timeline for its release? If not, could this be considered for a future enhancement?

BreizhHardware added the

answered

label

2026-05-07 00:19:12 +02:00

BreizhHardware commented

2026-05-07 00:19:13 +02:00

Author

Owner

@CooperTrooper21 commented on GitHub (Oct 8, 2024):

Would be the solution I am looking for if support SSO

@CooperTrooper21 commented on GitHub (Oct 8, 2024): +1 Would be the solution I am looking for if support SSO

BreizhHardware commented

2026-05-07 00:19:13 +02:00

Author

Owner

@speed47 commented on GitHub (Dec 5, 2024):

Hello,

The Bastion is handling off authentication of the users to the OpenSSH server and the underlying OS. This means that OIDC will work as long as your OpenSSH and OS config support it.

On Linux systems, a probably good candidate would be a PAM module, as sshd supports it. I haven't tried it personally, but a quick search shows that this kind of module exists, for example here :
https://github.com/salesforce/pam_oidc

This would then just be a matter of PAM config to make it work. If you try it, let men know, maybe we can include some details in the documentation.

@speed47 commented on GitHub (Dec 5, 2024): Hello, The Bastion is handling off authentication of the users to the OpenSSH server and the underlying OS. This means that OIDC will work as long as your OpenSSH and OS config support it. On Linux systems, a probably good candidate would be a PAM module, as sshd supports it. I haven't tried it personally, but a quick search shows that this kind of module exists, for example here : https://github.com/salesforce/pam_oidc This would then just be a matter of PAM config to make it work. If you try it, let men know, maybe we can include some details in the documentation.

BreizhHardware referenced this issue

2026-05-07 00:20:02 +02:00

[PR #126] [MERGED] enh: config: detect warnBefore/idleTimeout misconfiguration #258