github hankscafe/omnibus v1.0.9-beta.050
Omnibus v1.0.9-beta.050
on GitHub

6 hours ago

v1.0.9-beta.050 - feat(auth): implement enterprise-grade OIDC SSO support with group mapping

This commit introduces comprehensive OpenID Connect (OIDC) Single Sign-On capabilities to Omnibus, allowing seamless integration with Identity Providers like Authentik, Authelia, and Keycloak, while introducing strict security safeguards and API hardening.

Core Features:

  • OIDC Integration: Added OIDC provider to NextAuth configuration.
  • Dynamic Group Mapping: Parses groups or roles claims from the IdP to automatically map users to ADMIN or USER roles.
  • Auto-Approvals: Added configuration to automatically approve new accounts provisioned via SSO.

Security & API Hardening:

  • Force SSO Mode: Allows admins to completely disable native authentication and automatically redirect unauthenticated users to the IdP.
  • Break-Glass Admin Bypass: Appending ?local=true to the login URL bypasses the SSO auto-redirect, revealing the native login form to prevent server lockouts during IdP outages.
  • Backend Lockout Prevention: The config API now explicitly blocks enabling Force SSO if no local admin account with a password exists.
  • Endpoint Protection: Native registration and password reset API routes (/api/auth/register, /api/auth/reset-password) are strictly blocked when Force SSO is active.
  • Admin Safeguards: Admins are blocked from triggering password reset emails for users managed by an external IdP.

UI & UX Enhancements:

  • Admin Settings: Added full SSO configuration suite (Issuer, Client ID/Secret, Behavior Options, Group Mappings).
  • Setup Wizard: Mirrored SSO configuration into the initial server setup flow.
  • Security Warnings: Added dynamic UI alerts in Settings/Setup to warn admins if they enable Auto-Approve without specifying restrictive Group Mappings.
  • Profile Lockdown: The User Profile UI now dynamically detects SSO users and disables local Two-Factor Authentication and Password Change buttons.
  • User Management: Added a warning banner in the Admin Users dashboard when OIDC Group Sync is active, reminding admins that local role edits will be overwritten by the IdP.

Testing & Stability:

  • Test Environment Resilience: Wrapped systemSetting database calls in the native registration API with fallback logic to prevent 500 Internal Server Error crashes in isolated test environments (Jest/Vitest) where relational tables may not be fully mocked.

Resolves #102

Check out latest releases or
releases around hankscafe/omnibus v1.0.9-beta.050

Don't miss a new omnibus release

NewReleases is sending notifications on new releases.

Get notifications