Direct SSO Endpoint #5395
Description
Pre-submission Checklist
- I have searched the existing issues and this feature has not been requested yet
Type of Feature
API / Backend
Problem or Use Case
Is your feature request related to a problem?
Currently there's no way to deep-link directly to SSO login from external apps. Users must:
Land on Memos login page (/)
Manually click "Sign in with [Provider]"
This breaks seamless integration with:
Other apps wanting "Login to Notes" buttons
Reverse proxy auth flows
Mobile deep links
SSO dashboards
JavaScript auto-click hacks fail due to Memos' OAuth state validation (by design, for security).
Describe the solution you'd like
Current workarounds fail:
❌ Direct OIDC URLs → "Invalid state parameter" (CSRF protection)
❌ JS auto-click → SPA timing/race conditions + console errors
❌ Reverse proxy → Same state storage issue
Use case: From my SSO dashboard, I want one-click "→ Notes" buttons that skip the Memos login page entirely.
Proposed Solution
Add a direct SSO endpoint: /auth/sso?provider={keycloak|authentik|...}
https://memos.example.com/auth/sso?provider=keycloak
↓
Instant redirect to Keycloak auth → callback → dashboard
Memos handles:
✅ Generates/stores OAuth state in localStorage
✅ Provider-specific redirect URI logic
✅ Falls back to login page if provider not configured
Example implementation using ChatGPT:
// In Memos auth handler
if r.URL.Path == "/auth/sso" {
provider := r.URL.Query().Get("provider")
if ssoConfig, ok := store.GetSSOConfig(provider); ok {
state := generateState() // Store in session/localStorage
redirectURL := buildAuthURL(ssoConfig.AuthorizationEndpoint, state)
http.Redirect(w, r, redirectURL, 302)
} else {
http.Redirect(w, r, "/", 302) // Fallback to login
}
}
Alternatives Considered
No response
Additional Context
Similar to #5149 but easier to implement