Skip to content

feat: add OAuth support and email auth disable option for self-hosted instances #154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add OAuth support and email auth disable option for self-hosted instances #154

wants to merge 1 commit into from

Conversation

Robert27
Copy link

This PR significantly enhances the authentication system for self-hosted Aptabase instances by adding comprehensive OAuth support and the ability to disable email-based authentication entirely.

What's New

OAuth Provider Support

Previously, self-hosted instances were limited to email-based authentication (magic links). This PR adds full OAuth support for:

  • GitHub OAuth: Previously disabled for self-hosted instances
  • Google OAuth: Previously disabled for self-hosted instances
  • Authentik OAuth: Custom OIDC provider support

Email Authentication Control

Added the ability to completely disable email-based authentication, making OAuth the only authentication method available. This is particularly useful for:

  • Organizations that want to enforce specific authentication providers and user groups
  • Security-focused deployments where magic links are not desired

How It Works

Backend Changes

  • Environment Variable Detection: The system automatically detects configured OAuth providers and enables them
  • Endpoint Protection: Email auth endpoints return 404 when DISABLE_EMAIL_AUTH=true
  • OAuth Status API: Enhanced /api/_auth/oauth-status endpoint includes email auth status

Frontend Changes

  • Dynamic UI: Login/register pages automatically show available OAuth providers
  • Conditional Forms: Email forms are hidden when email auth is disabled
  • Graceful Degradation: Helpful messages when no auth methods are available
  • Loading States: Proper loading indicators while checking auth configuration

Environment Variables Reference

Variable Description Required Default
DISABLE_EMAIL_AUTH Disable email-based authentication (magic links) No false

GitHub OAuth

Variable Description Required
OAUTH_GITHUB_CLIENT_ID GitHub OAuth App Client ID Yes*
OAUTH_GITHUB_CLIENT_SECRET GitHub OAuth App Client Secret Yes*

Google OAuth

Variable Description Required
OAUTH_GOOGLE_CLIENT_ID Google OAuth Client ID Yes*
OAUTH_GOOGLE_CLIENT_SECRET Google OAuth Client Secret Yes*

Authentik OAuth

Variable Description Required
OAUTH_AUTHENTIK_CLIENT_ID Authentik OAuth Client ID Yes*
OAUTH_AUTHENTIK_CLIENT_SECRET Authentik OAuth Client Secret Yes*
OAUTH_AUTHENTIK_AUTHORIZE_URL Authentik Authorize URL Yes*
OAUTH_AUTHENTIK_TOKEN_URL Authentik Token URL Yes*
OAUTH_AUTHENTIK_USERINFO_URL Authentik Userinfo URL Yes*

*Required only if you want to enable that specific OAuth provider

Usage Examples

Email + Github OAuth

# docker-compose.yml
environment:  OAUTH_GITHUB_CLIENT_ID: your_github_client_id
  OAUTH_GITHUB_CLIENT_SECRET: your_github_client_secret

Enterprise with Authentik only

# docker-compose.yml
environment:
  DISABLE_EMAIL_AUTH: true
  OAUTH_AUTHENTIK_CLIENT_ID: your_authentik_client_id
  OAUTH_AUTHENTIK_CLIENT_SECRET: your_authentik_client_secret
  OAUTH_AUTHENTIK_AUTHORIZE_URL: https://auth.company.com/application/o/authorize/
  OAUTH_AUTHENTIK_TOKEN_URL: https://auth.company.com/application/o/token/
  OAUTH_AUTHENTIK_USERINFO_URL: https://auth.company.com/application/o/userinfo/

Resolves #72

@Robert27 Robert27 mentioned this pull request Jul 26, 2025
Open
@Robert27 Robert27 changed the title feat: Add OAuth support and email auth disable option for self-hosted instances feat: add OAuth support and email auth disable option for self-hosted instances Jul 26, 2025
@Robert27
Copy link
Author

Depending on what PR (#153) gets merged first, I'm planning to also apply the email regex to the OAuth providers.

@cristipufu
Copy link
Member

@Robert27 we appreciate the work you did, just letting you know it will take a bit for our team to properly review and test this. Thanks!

@cristipufu cristipufu requested review from Copilot and ivnbogdan July 26, 2025 20:08
Copilot
Copilot AI reviewed Jul 26, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the authentication system for self-hosted Aptabase instances by adding OAuth provider support (GitHub, Google, and Authentik) and the ability to disable email-based authentication entirely.

  • Adds comprehensive OAuth support for GitHub, Google, and custom Authentik OIDC providers
  • Introduces environment variable controls to disable email authentication and enforce OAuth-only authentication
  • Implements dynamic UI that adapts based on available authentication methods

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/webapp/features/env/env.ts Code formatting cleanup for getUserHourCycle function
src/webapp/features/auth/SignInWithAuthentik.tsx New component for Authentik OAuth authentication button
src/webapp/features/auth/RegisterPage.tsx Updated to support dynamic OAuth status checking and conditional email auth
src/webapp/features/auth/OAuthButtons.tsx New component to manage OAuth button display based on available providers
src/webapp/features/auth/LoginPage.tsx Updated to support dynamic OAuth status checking and conditional email auth
src/Program.cs Added Authentik OAuth provider registration
src/Features/EnvSettings.cs Added environment variables for Authentik OAuth and email auth control
src/Features/Authentication/OAuthExtensions.cs Implemented Authentik OAuth provider configuration and user handling
src/Features/Authentication/AuthController.cs Added email auth protection and OAuth status endpoint
src/Data/Migrations/0012_IncreaseProviderUidSize.cs Database migration to support longer OAuth provider user IDs
Comments suppressed due to low confidence (2)

src/webapp/features/auth/SignInWithAuthentik.tsx:13

  • The SVG attribute stroke-width should use camelCase (strokeWidth) in React JSX to follow React conventions.
            stroke-width="1"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@ivnbogdan ivnbogdan Awaiting requested review from ivnbogdan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SSO
2 participants
@Robert27 @cristipufu