OSS Obot ships the Google and GitHub auth providers; the OIDC vendor providers (Okta, Entra, Auth0, JumpCloud) are enterprise-gated. A generic OIDC provider would let self-hosters authenticate against any OIDC-compliant IdP (Keycloak, Authentik, Dex, Auth0, …) without an enterprise entitlement.
I have an implementation that mirrors the existing providers exactly — same oauth2-proxy setup, Options struct, shim endpoints (/obot-get-state, /obot-get-user-info, /obot-list-user-auth-groups), auth-providers/*.yaml manifest, and the shared PROVIDER_DIR Dockerfile (auto-discovered by make all-images). Login, email and groups come from the standard OIDC flow and the token groups claim.
It also adds an optional OBOT_OIDC_AUTH_PROVIDER_GROUP_ADMIN=keycloak that enumerates realm groups for the admin group picker and resolves per-user memberships via the Keycloak Admin API (off by default — the groups claim is used otherwise).
Branch for reference: https://github.com/we4sz/providers/tree/generic-oidc-auth-provider
Would you accept this as a PR, or is generic OIDC intentionally reserved for the enterprise providers?
OSS Obot ships the Google and GitHub auth providers; the OIDC vendor providers (Okta, Entra, Auth0, JumpCloud) are enterprise-gated. A generic OIDC provider would let self-hosters authenticate against any OIDC-compliant IdP (Keycloak, Authentik, Dex, Auth0, …) without an enterprise entitlement.
I have an implementation that mirrors the existing providers exactly — same oauth2-proxy setup,
Optionsstruct, shim endpoints (/obot-get-state,/obot-get-user-info,/obot-list-user-auth-groups),auth-providers/*.yamlmanifest, and the sharedPROVIDER_DIRDockerfile (auto-discovered bymake all-images). Login, email and groups come from the standard OIDC flow and the tokengroupsclaim.It also adds an optional
OBOT_OIDC_AUTH_PROVIDER_GROUP_ADMIN=keycloakthat enumerates realm groups for the admin group picker and resolves per-user memberships via the Keycloak Admin API (off by default — the groups claim is used otherwise).Branch for reference: https://github.com/we4sz/providers/tree/generic-oidc-auth-provider
Would you accept this as a PR, or is generic OIDC intentionally reserved for the enterprise providers?