Skip to content

Add OIDC authentication support#599

Open
benoit-nexthop wants to merge 3 commits intocloudbase:mainfrom
nexthop-ai:oidc-auth-support
Open

Add OIDC authentication support#599
benoit-nexthop wants to merge 3 commits intocloudbase:mainfrom
nexthop-ai:oidc-auth-support

Conversation

@benoit-nexthop
Copy link
Contributor

@benoit-nexthop benoit-nexthop commented Feb 9, 2026
edited
Loading

Summary

Adds OpenID Connect (OIDC) authentication support to GARM, allowing users to authenticate via external identity providers like Okta, Auth0, Google, etc.

Changes

  • Add OIDC configuration to config.go with validation
  • Add OIDC provider integration with state management and token exchange
  • Add OIDC login/callback/status API endpoints
  • Update NewUserParams with IsSSOUser flag for SSO users without passwords
  • Consolidate CreateOIDCUser into CreateUser with IsSSOUser check
  • Add OIDC login button to webapp login page
  • Add OIDC tests and documentation

Configuration

To enable OIDC, add the following to your GARM config:

[oidc]
enabled = true
issuer = "https://your-idp.example.com"
client_id = "your-client-id"
client_secret = "your-client-secret"
redirect_url = "https://your-garm-instance/api/v1/auth/oidc/callback"

Testing

Tested with Okta in staging and production environments.

This PR is part of a stack of changes:

  1. fix: remove invalid Unlock calls in scaleset worker #598
  2. Add OIDC authentication support #599 ← you are here
  3. Allow multiple users and open read-only APIs to non-admins #600
  4. Add version display to navigation sidebar #601

@benoit-nexthop
fix: remove invalid Unlock calls in scaleset worker
40e555e 
- Remove Unlock call in handleScaleDown that was called before any lock
  was acquired
- Change defer Unlock to immediate Unlock in consolidateRunnerState loop
  to avoid holding locks until function exit
@benoit-nexthop
Add OIDC authentication support
dd874ac 
- Add OIDC configuration to config.go with validation
- Add OIDC provider integration with state management and token exchange
- Add OIDC login/callback/status API endpoints
- Update NewUserParams with IsSSOUser flag for SSO users without passwords
- Consolidate CreateOIDCUser into CreateUser with IsSSOUser check
- Add OIDC login button to webapp login page
- Add OIDC tests and documentation
@benoit-nexthop
Rebuild webapp with OIDC support
f4e90d5
This was referenced Feb 9, 2026
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@benoit-nexthop