Beta Release — OIDC Single Sign-On (#70)
This is a beta release for testing the new OIDC SSO feature. Please report any issues or feedback on #70.
OIDC Single Sign-On
Generic OpenID Connect SSO that works with any OIDC-compliant identity provider — Keycloak, Authentik, Azure AD, Google Workspace, Okta, Auth0, Authelia, and more.
Setup: Settings > Authentication tab
- Enter your provider's discovery URL, client ID, and client secret
- Configure how new SSO users are handled:
- Deny access (must pre-create user with matching email)
- Create user pending admin approval
- Create user with permissions copied from a template user
- Customize the SSO button label
- Optional: enable OIDC logout to sign out of the identity provider when logging out of BBS
Login page shows an SSO button alongside the existing username/password form. Existing local login is unaffected.
OIDC callback URL to configure in your identity provider:
https://your-bbs-server/login/oidc/callback
Also Includes
- System-wide default theme setting (Settings > General)
- Branding tab (custom navbar icon, login logo, login page theme override)
- ClickHouse thread pool reduction (~800 → ~50-80 threads)
- Borg update retry loop prevention on persistent failures
- Archive list and individual archive deletion on repo detail page
- Restore point dropdowns show backup plan name
How to Install
- Bare metal (beta channel): Enable "Include Beta Versions" in Settings > Updates, then check for updates
- Docker:
docker pull marcpope/borgbackupserver:v2.24.0-beta.1(not included inlatest)
Feedback
Please test and share your experience on #70. We're looking for feedback on:
- Setup experience with different identity providers
- New user handling policies (deny / pending / copy)
- Any issues with the login flow or session handling