[Feature] IPAM-015: Hybrid Authentication System

[tuxpeople]

Problem Description

Production deployments need authentication and authorization. Small deployments need simple local user management, while enterprises need OIDC integration.

Proposed Solution

Hybrid authentication system supporting both local user management and OIDC via OAuth2 Proxy, configurable via environment variables.

Acceptance Criteria

• Local Authentication: Built-in user registration, login, password reset
• OAuth2 Proxy Support: OIDC integration via reverse proxy
• Role-based Access Control: Admin, User, ReadOnly roles
• Configurable Auth Mode: Environment variable to switch between modes
• User Management UI: Admin interface for local users
• Session Management: Secure session handling for both modes

Authentication Modes

Mode 1: Local Authentication (Default)

# .env
AUTH_MODE=local
SECRET_KEY=your-secret-key

Mode 2: OAuth2 Proxy

# docker-compose.auth.yml
services:
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:latest
    environment:
      - OAUTH2_PROXY_UPSTREAM=http://ipam:5000
      - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_ISSUER}
  ipam:
    environment:
      - AUTH_MODE=proxy
      - AUTH_USER_HEADER=X-Forwarded-User

Feature Category

Authentication/Authorization

Priority

High

Additional Context

Technical Notes:

• Use Flask-Login for local authentication
• Header extraction for proxy-based auth
• Unified User model supporting both auth types
• Estimated effort: 3-4 days

Feature ID: IPAM-015
Category: Security
Version Target: v1.2.0 (Q1 2026)

Rationale: Maximum flexibility - simple setup for development/small deployments, enterprise-ready OIDC for larger organizations