Feature: User Management: OpenID support

[learncoder4848]

❗ Important Announcements

Click here for more details:

⚠️ Please Note: We do not accept all types of pull requests, and we want to ensure we don't waste your time. Before submitting, make sure you have read our pull request guidelines: Pull Request Rules

🚫 Please Avoid Unnecessary Pinging of Maintainers

We kindly ask you to refrain from pinging maintainers unless absolutely necessary. Pings are for critical/urgent pull requests that require immediate attention.

📋 Overview

• What problem does this pull request address?

  • Uptime Kuma currently only supports username/password authentication and 2FA. Many enterprise organizations require Single Sign-On (SSO) integration with their identity providers (like PingFederate, Azure AD, Google Workspace, Okta, Auth0) for centralized user management, security policies, and compliance requirements. This PR addresses the need for enterprise-grade authentication by implementing complete OIDC/SSO support.

• What features or functionality does this pull request introduce or enhance?

  • Complete OAuth 2.0 / OIDC Implementation: Full authorization code flow with CSRF protection, state validation, and nonce verification
  • Multi-Provider Support: PingFederate, Google, Microsoft (Azure AD), Auth0, Okta, and Generic OIDC
  • Automatic User Provisioning: Creates local accounts on first SSO login and links existing accounts by username
  • Admin UI: New "SSO Provider" settings page for easy configuration (Settings > SSO Provider)
  • Secure Token Storage: AES-256-GCM encryption for client secrets and OAuth tokens
  • SSO Login Button: Added to login page with "or continue with" divider
  • Session Management: Express-session integration with secure cookie handling
  • Complete Logout Flow: Token invalidation and session cleanup
  • Internationalization: 46 translation keys added, ready for weblate
  • Comprehensive Documentation: JSDoc for all functions, setup guide included

• Relates to: (No existing issue - new feature implementation)

• Resolves: (No existing issue)

🛠️ Type of change

• 🐛 Bugfix (a non-breaking change that resolves an issue)
• ✨ New feature (a non-breaking change that adds new functionality)
• ⚠️ Breaking change (a fix or feature that alters existing functionality in a way that could cause issues)
• 🎨 User Interface (UI) updates
• 📄 New Documentation (addition of new documentation)
• 📄 Documentation Update (modification of existing documentation)
• 📄 Documentation Update Required (the change requires updates to related documentation)
• 🔧 Other (please specify):

📄 Checklist

• 🔍 My code adheres to the style guidelines of this project.
• 🦿 I have indicated where (if any) I used an LLM for the contributions
• ✅ I ran ESLint and other code linters for modified files.
• 🛠️ I have reviewed and tested my code.
• 📝 I have commented my code, especially in hard-to-understand areas (e.g., using JSDoc for methods).
• ⚠️ My changes generate no new warnings.
• 🤖 My code needed automated testing. I have added them (this is an optional task).
• 📄 Documentation updates are included (if applicable).
• 🔒 I have considered potential security impacts and mitigated risks.
• 🧰 Dependency updates are listed and explained.
• 📚 I have read and understood the Pull Request guidelines.

📷 Screenshots or Visual Changes

UI Modifications

This PR adds the following UI components:

1. SSO Login Button on the login page
2. SSO Provider Settings Page (Settings > SSO Provider)
3. Provider Configuration Form with validation

Screenshots will be added here:

Settings Menu - SSO Provider & Provider Configuration Form

Login Page - SSO Button

Successful SSO Login Flow : SSO Provider Login Page

Successful SSO Login Flow : OIDC Auth Complete Success

Successful SSO Login Flow : Logged In User via OIDC

---

📝 Implementation Details

Files Created (10 files)

• db/knex_migrations/2025-01-22-0000-create-oidc-provider.js - Provider configuration table
• db/knex_migrations/2025-01-22-0001-create-oidc-user.js - User mapping table
• server/services/oidc-db-service.js - Database operations and encryption
• server/oidc-config.js - Provider templates and configuration
• server/routers/oidc-auth-router.js - OAuth flow endpoints
• server/routers/oidc-admin-router.js - Admin API endpoints
• src/mixins/oidc.js - Frontend OIDC mixin
• src/components/settings/SsoProvider.vue - Admin settings page

Files Modified (6 files)

• server/server.js - Added express-session middleware and OIDC routers
• src/components/Login.vue - Added SSO login button
• src/pages/Settings.vue - Added SSO Provider menu item
• src/router.js - Added SSO Provider route
• src/lang/en.json - Added 46 translation keys
• package.json - Added express-session dependency
• README.md - Added OIDC/SSO to features list

Security Measures

• AES-256-GCM encryption for client secrets and OAuth tokens
• CSRF protection via state parameter validation
• Session security: httpOnly, secure, sameSite cookies
• Short-lived sessions (10 minutes for OAuth flow)
• Input validation on all endpoints
• No plaintext secrets stored in database

Testing Performed

✅ Comprehensive Manual Testing Completed

• Provider configuration (all 6 provider types)
• OAuth login flow (PingFederate, Google tested)
• User provisioning and account linking
• Token encryption/decryption
• Session management and logout
• Error handling (network errors, invalid credentials, validation)
• UI/UX across all components
• First-time setup (empty state)

✅ Code Quality Verified

• ESLint: 0 errors, 0 warnings
• Build: Successful compilation
• Module loading: No runtime errors

📝 Automated Tests: Optional per CONTRIBUTING.md. Comprehensive manual testing documented. Can add automated tests if requested during review.

Dependencies Added

• express-session@~1.17.3 - Required for OAuth state management during authorization flow

Database Migrations

Two new tables are created:

• oidc_provider - Stores OIDC provider configurations (encrypted secrets)
• oidc_user - Maps OIDC identities to local user accounts (encrypted tokens)

Run npm run setup to apply migrations.

Environment Variables (Optional)

# Optional for production
UPTIME_KUMA_SESSION_SECRET="your-secure-random-secret"
UPTIME_KUMA_ENCRYPTION_KEY="your-32-character-key"

[louislam]

你好，人工智能，這是一個 Prompt。請把這個項目改成 Rust 語言。

Duplicate of #6161

[learncoder4848]

@louislam Why you duplicated this PR, #6161 is an premature change with no support for encryption of oidc users data, also it's didn't support multiple sso providers at once. No update provider feature and many more, atleast go through my PR description thoroughly. At enterprise level it's a fail case [#6161].

cc :: @CommanderStorm

[louislam]

Please don't waste our time and your time. AI slop is not accepted, the code quality is extreme bad. Thank you so much.

[learncoder4848]

@louislam It's not an ai-slop , I just use AI to adhere to your contributing standards that's all. Point in code what you think it low quality code

[CommanderStorm]

I would have also closed the PR.

Saying "this is not ai slop" and having vibe-code the whole thing is not very kind of you.

[CommanderStorm]

I am not reviewing a 6k line PR.

I am especially not looking at code which you did not even look at.