mirror of
https://github.com/louislam/uptime-kuma.git
synced 2026-03-02 22:57:00 -05:00
User Management: OpenID support (or SAML) #319
Labels
No labels
A:accessibility
A:api
A:cert-expiry
A:core
A:dashboard
A:deployment
A:documentation
A:domain expiry
A:incidents
A:maintenance
A:metrics
A:monitor
A:notifications
A:reports
A:settings
A:status-page
A:ui/ux
A:user-management
Stale
ai-slop
blocked
blocked-upstream
bug
cannot-reproduce
dependencies
discussion
duplicate
feature-request
feature-request
good first issue
hacktoberfest
help
help wanted
house keeping
invalid
invalid-format
invalid-format
question
releaseblocker 🚨
security
spam
type:enhance-existing
type:new
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/uptime-kuma#319
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @olivierlambert on GitHub (Oct 4, 2021).
That would be cool to get login working via an OpenID provider (using SSO in short, with Keycloak for example).
I know that
keycloak-jscan do it (https://www.keycloak.org/securing-apps/vue is a complete walk-through), or even https://www.npmjs.com/package/vue-oidc-client as a more generic one. There's also https://github.com/openid/AppAuth-JSI'm not fluent enough in Vue, but I can do the tests for you on a dedicated branch if you like 👍
@eldiaboloz commented on GitHub (Oct 5, 2021):
Not exactly what you want, but if you put the service behind oauth2-proxy and then disable auth in uptime-kuma, you can integrate with keycloak and all other oauth2 providers that oauth2-proxy supports.
This will become a problem if there is support for more than one user in the future, but for now works great.
@olivierlambert commented on GitHub (Oct 5, 2021):
Thanks! That's interesting but I'd like to have the status page public, and be able to login for the dashboard (as now, but with Oauth).
Is that doable with oauth2-proxy?
@eldiaboloz commented on GitHub (Oct 5, 2021):
Yes it is possible - the authetication is done in keycloak only. You need to set only which group from keycloak has access
OAUTH2_PROXY_KEYCLOAK_GROUPS: /some-groupFor the public status page you need to allow some urls:
OAUTH2_PROXY_SKIP_AUTH_REGEX=(/status|/assets/.*|/icon.svg)Here is more documentation on using keycloak provider in oauth2-proxy
There is a little difference if you use env variables ( via docker ) or cfg file
@jack1902 commented on GitHub (Oct 19, 2021):
another alternative would be to use something like https://github.com/pomerium/pomerium (there are a few but this is one i have used in the past)
@olivierlambert commented on GitHub (Oct 19, 2021):
FYI @eldiaboloz it works with this solution for now. Even if I'd like "real" OpenID integration, this is enough for my use case 👍
@oussjarrousse commented on GitHub (Dec 24, 2022):
I think adding SSO integration (OAuth or SAML) would make this APP much more interesting for small businesses and small organisations, who already have a weak IT-department and trouble managing credentials...
@Maven35 commented on GitHub (Jan 25, 2023):
+1 i am looking for SSO integration at least either OIDC or SAML since I run keycloak in my environment
@Daemonslayer2048 commented on GitHub (Feb 5, 2023):
If it matters at all, I also would find (basic) SAML or OIDC support useful
@xgaia commented on GitHub (Feb 13, 2023):
I'm interested to the openID support to, and I'm interested to implement the functionality. @louislam , do you accept PR for this ?
@piepmax commented on GitHub (Feb 16, 2023):
could you please post the relevant part of your docker-compose-file?
I always get a 404 of the oauth2-proxy.
@olivierlambert commented on GitHub (Feb 16, 2023):
I'm not using Docker at all.
@piepmax commented on GitHub (Feb 16, 2023):
@eldiaboloz commented on GitHub (Feb 16, 2023):
@maxulm
Here is my working example with cleaned up "secrets" and my domain name.
I think i ended using cfg instead of .env because the skip_auth_routes needs to be an array and the regex was getting too complex to read
@piepmax commented on GitHub (Feb 17, 2023):
Thanks a lot!
@marekful commented on GitHub (Feb 26, 2023):
Hey @louislam how you going,
How would you receive a PR adding a basic OIDC login mechanism? (Similar to this one.)
Just a minimal integration whereby following a successful authentication with an Identity Provider, Uptime Kuma would check if there is an existing user in its system with a username matching the one extracted from the ID token issued by the IdP and log the user in to that account. This could be done using openid-client in under 500 lines of code in a day or two.
FYI @olivierlambert
@Lanhild commented on GitHub (Mar 11, 2023):
Uptime Kuma being a really great FOSS status service watcher (emphasizing on the "FOSS" as most status page providers make you pay ridiculous fees for the service it is), OIDC support would be greatly appreciated
@cwchristerw commented on GitHub (Jul 8, 2023):
Related to #21 #2280
@CommanderStorm commented on GitHub (Jul 8, 2023):
Not related to #2280, but an offshoot of https://github.com/louislam/uptime-kuma/issues/128:
Said issue being the one which goes into detail what systems need to be changed how to allow multiple users. PRs doing part of the work are appreciated.
The change suggested by @marekful seems quite daunting and really hard to implement+review.
Any PR in this field has to be:
@CrimsonFez commented on GitHub (Oct 8, 2023):
A simple implementation with oidc-client-ts could achieve the same result as using ouath2-proxy. I don't think user management would have to be a thing, just check if the user has a configured group or role. All user management happens in the oidc provider.
@VladoPortos commented on GitHub (Oct 9, 2023):
Yea the implementation of OIDC would be huge bonus for this app. Same as many we run keycloak to access everything and I would be super happy if we got just verification, yes this use is in this group he can log in... does not have to support full user management in app. and Log out button to work ( people tend to forgot it :D )
@sniff122 commented on GitHub (Oct 13, 2023):
Been thinking about deploying this at work to provide some monitoring for our developers of services and having oauth2 would be SO much easier to handle. Something like an allowed domains thing too so then we can restrict which email domains can log in
@PurseChicken commented on GitHub (May 24, 2024):
+1000
@arunoruto commented on GitHub (Jan 18, 2025):
I started using beszel and it offloads its user management to PocketBase, which enables OIDC out of the box with some popular providers predefined!
I am not really familiar with it, but it also supports databases that users can look into via a WebUI.
It would introduce an additional dependency, but offloading such things should also make it easier to maintain the core features of the project, instead of venturing into side projects.
Another project which uses PB is UpSnap.
@EHRETic commented on GitHub (Mar 21, 2025):
I can only upvote Oauth/OIDC! 😊
@jannis6023 commented on GitHub (Apr 1, 2025):
A regex of all protected routes would be nice. Then the solution of using oauth2-proxy would be perfect. But as we want our status page to be visible to anyone, we would only need to secure /dashboard and all restricted api routes!
@thmo commented on GitHub (Apr 28, 2025):
Authentik has a guide on how to integrate with Uptime Kuma here.
The guide has a list of paths that do not need to be protected.
One merely cosmetic (I hope!) issue I noticed while testing this, is that a status page shows the knobs for editing the status page, or going to the dashboard, when one was logged in before - because there exists a
token:autoLoginitem in the browser's Local Storage. As far as I can see, this does not really allow to modify the status page, though, because the save knob does not work.@mike12806 commented on GitHub (Jul 14, 2025):
Will uptime-kuma 2.0.0 include OIDC support?
@CommanderStorm commented on GitHub (Jul 14, 2025):
Negative, as user management requires multi-user support.
@learncoder4848 commented on GitHub (Sep 24, 2025):
@CommanderStorm I had the implemented the working code for OIDC , can you guide me the right steps to raise this feature request PR ?
@CommanderStorm commented on GitHub (Sep 24, 2025):
You can open the PR, sure. But I will only look at it after we have basic multi user support.
Before this, OIDC does not make sense imo (happy to be proven wrong)
@MikeW1901 commented on GitHub (Oct 12, 2025):
I disagree that this doesn't have usefulness in its own right, for example being able to give access via e.g. Google Auth to a trusted set of individuals within an organisation, whilst giving one less password to worry about rotating when one of these users leaves the org.
@pro-sumer commented on GitHub (Oct 22, 2025):
(Native) OIDC support would allow us to log in using a passkey (via Pocket ID) instead of username, password and TOTP 2FA code.
(But yes, we can probably already achieve that using caddy-security and the like)
@learncoder4848 commented on GitHub (Oct 23, 2025):
As promised much awaited feature is here
https://github.com/louislam/uptime-kuma/pull/6232
Requesting you all to kindly take the pull, test the functionality, review it and let's push it to add this as feature.
FYI, the same is working with enterprise level SSO provider in production in my org 😎