Proposal
Add OpenID Connect (OIDC) authentication support, allowing users to sign in via an external identity provider (Authentik, Keycloak, Auth0, Google, etc.) rather than (or in addition to) the local username+password flow.
Reference
Upstream oppiliappan/lurker PR #36 implements OIDC in a dedicated src/oidc.js. We can cherry-pick that file and its hooks into src/auth.js / src/routes/index.js, while skipping the PR's bundled PWA/media changes (we already have web manifest + srcset from v2.4.x and v2.5.0).
Scope
Compatibility
Local password login continues to work when OIDC is configured. An admin can disable local login via another env var if desired (out of scope for v1).
Proposal
Add OpenID Connect (OIDC) authentication support, allowing users to sign in via an external identity provider (Authentik, Keycloak, Auth0, Google, etc.) rather than (or in addition to) the local username+password flow.
Reference
Upstream oppiliappan/lurker PR #36 implements OIDC in a dedicated
src/oidc.js. We can cherry-pick that file and its hooks intosrc/auth.js/src/routes/index.js, while skipping the PR's bundled PWA/media changes (we already have web manifest + srcset from v2.4.x and v2.5.0).Scope
OIDC_ISSUER,OIDC_CLIENT_ID,OIDC_CLIENT_SECRET,OIDC_REDIRECT_URI, optionallyOIDC_SCOPES)/auth/oidc/loginroute to initiate flow/auth/oidc/callbackroute to handle the redirectsubclaim or email — decide during PR review)src/routes/index.js:500-507Compatibility
Local password login continues to work when OIDC is configured. An admin can disable local login via another env var if desired (out of scope for v1).