[Change]: OIDC/SSO Support for Self-Hosted Deployments #3237
Description
Browsertrix Host
Self-Hosted
What change would you like to see?
I would like to be able to authenticate via OIDC/SSO so that I can
use a single login across my self-hosted stack without a double
login screen.
Currently, self-hosted deployments behind a reverse proxy with an
identity provider (e.g. Authentik, Keycloak) still show Browsertrix's
own login page after the SSO gate, resulting in two separate logins.
Proposed change: add optional OIDC configuration to the Helm chart
values, so Browsertrix can validate tokens from an external identity
provider and map users on first login. When configured, the login page
would show a "Sign in with SSO" button. Falls back to local auth when
not configured — fully backwards compatible.
Example values:
oidc:
enabled: true
issuer_url: "https://auth.example.com/application/o/browsertrix/"
client_id: "your-client-id"
client_secret: "your-client-secret"
Additional details
No response