[feature] oidc authentication for NPMplus web admin interface

[alexsalex]

As we discuss could you implement NginxProxyManager#4010 this in to NPMplus.

This helps a lot in env and a lot of users waiting on this feature.

Please)

[alexsalex]

And forget: I have 7 instances of NPM... each time to create manually user is annoying, controls access to instances impossible. But with SSO will bet easy to do that.

[Zoey2936]

It is completely untested by me, but if you want you can try this tag of NPMplus: ghcr.io/zoeyvid/npmplus:pr-1668
I upgraded the odic module to v6 which had breaking changes, so it was more then just a rebase and there could be alot broken and may not work, so please test it

[alexsalex]

sure) will test it. Thank you so much

[alexsalex]

/app/node_modules/knex/lib/dialects/better-sqlite3/index.js:44

    const response = await statement.run(bindings);

                                    ^

SqliteError: insert into 'setting' ('description', 'id', 'meta', 'name', 'value') values ('What to show when Nginx is hit with an 
unknown Host', 'default-site', '{}', 'Default Site', 'congratulations') - UNIQUE constraint failed: setting.id
    at Client_BetterSQLite3._query (/app/node_modules/knex/lib/dialects/better-sqlite3/index.js:44:38)
    at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17)
    at Client_BetterSQLite3.query (/app/node_modules/knex/lib/client.js:154:12)
    at Runner.query (/app/node_modules/knex/lib/execution/runner.js:141:36)
    at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17)
    at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:318:20)
    at async Runner.run (/app/node_modules/knex/lib/execution/runner.js:30:19)
    at async QueryBuilder.execute (/app/node_modules/objection/lib/queryBuilder/QueryBuilder.js:446:22) {

  code: 'SQLITE_CONSTRAINT_PRIMARYKEY'

}

Node.js v22.13.1

Got this error, nginx doesn't work, can't open any site.

[Zoey2936]

you can repull the image and retry in around 5 minutes

[alexsalex]

Same issue, the image the same in pr. Nothing was pulled.

[Zoey2936]

ok, please try again with the newest build which should be ready in a few minutes

[alexsalex]

Error gone, looks good. Give me couple of days to test it with different SSO. Now looks really good! THANK YOU!

[alexsalex]

Set up and configured as my NPM dev with OIDC support. On NPM works without issue, on NPMplus have this error:

[Zoey2936]

Is something ligged in the docker logs?

[alexsalex]

2025/03/30 21:59:58 [warn] 283#283: could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
[IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[Global   ] › ⬤  debug     CMD: certbot-ocsp-fetcher.sh -c /data/tls/certbot/live -o /data/tls/certbot/live --no-reload-webserver --quiet
[Global   ] › ⬤  debug     CMD: nginx -tq
[Nginx    ] › ℹ  info      Reloading Nginx
[Global   ] › ⬤  debug     CMD: nginx -s reload
2025/03/30 22:59:57 [warn] 283#283: could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
[OIDC     ] › ℹ  info      Initializing OAuth flow
[OIDC     ] › ✖  error     Callback error: "server" must be an instance of URL

If you tell me how to turn on the debug logs, will send debug info to you

This is how it should be:

[3/31/2025] [6:32:00 AM] [OIDC     ] › ℹ  info      Initializing OAuth flow
[3/31/2025] [6:32:01 AM] [OIDC     ] › ℹ  info      Authorization URL: https://
[3/31/2025] [6:32:03 AM] [OIDC     ] › ℹ  info      Processing callback
[3/31/2025] [6:32:04 AM] [OIDC     ] › ℹ  info      Successful authentication for email user@dazab.com

[alexsalex]

I think missed the string to display right name of the button too

[Zoey2936]

I think missed the string to display right name of the button too

this should be fixed

[Zoey2936]

2025/03/30 21:59:58 [warn] 283#283: could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
[IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[Global   ] › ⬤  debug     CMD: certbot-ocsp-fetcher.sh -c /data/tls/certbot/live -o /data/tls/certbot/live --no-reload-webserver --quiet
[Global   ] › ⬤  debug     CMD: nginx -tq
[Nginx    ] › ℹ  info      Reloading Nginx
[Global   ] › ⬤  debug     CMD: nginx -s reload
2025/03/30 22:59:57 [warn] 283#283: could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
[OIDC     ] › ℹ  info      Initializing OAuth flow
[OIDC     ] › ✖  error     Callback error: "server" must be an instance of URL

If you tell me how to turn on the debug logs, will send debug info to you

This is how it should be:

[3/31/2025] [6:32:00 AM] [OIDC     ] › ℹ  info      Initializing OAuth flow
[3/31/2025] [6:32:01 AM] [OIDC     ] › ℹ  info      Authorization URL: https://
[3/31/2025] [6:32:03 AM] [OIDC     ] › ℹ  info      Processing callback
[3/31/2025] [6:32:04 AM] [OIDC     ] › ℹ  info      Successful authentication for email user@dazab.com

can you try if it maybe works now?

[alexsalex]

Got this:

2025/03/31 09:26:24 [notice] 285#285: parsed a resolver: "[fcff:1203:1::20]" in /usr/local/nginx/conf/nginx.conf:182
[Global   ] › ℹ  info      Using Sqlite: /data/npmplus/database.sqlite
/app/routes/oidc.js:67
	return await client.discovery(server: settings.meta.issuerURL, clientId: settings.meta.clientID, clientSecret: settings.meta.clientSecret);
	                              ^^^^^^
SyntaxError: missing ) after argument list
    at wrapSafe (node:internal/modules/cjs/loader:1512:18)
    at Module._compile (node:internal/modules/cjs/loader:1534:20)
    at Object..js (node:internal/modules/cjs/loader:1699:10)
    at Module.load (node:internal/modules/cjs/loader:1313:32)
    at Function._load (node:internal/modules/cjs/loader:1123:12)
    at TracingChannel.traceSync (node:diagnostics_channel:322:14)
    at wrapModuleLoad (node:internal/modules/cjs/loader:217:24)
    at Module.require (node:internal/modules/cjs/loader:1335:12)
    at require (node:internal/modules/helpers:136:16)
    at Object.<anonymous> (/app/routes/main.js:22:21)
Node.js v22.13.1

[Zoey2936]

if you want you can test again

[alexsalex]

@Zoey2936 I want) I would like to help. You built the wonderful product)

Let me check

[alexsalex]

Nothing changed, same image:

[Global   ] › ℹ  info      Using Sqlite: /data/npmplus/database.sqlite
/app/routes/oidc.js:67
	return await client.discovery(server: settings.meta.issuerURL, clientId: settings.meta.clientID, clientSecret: settings.meta.clientSecret);
	                              ^^^^^^
SyntaxError: missing ) after argument list
    at wrapSafe (node:internal/modules/cjs/loader:1512:18)
    at Module._compile (node:internal/modules/cjs/loader:1534:20)
    at Object..js (node:internal/modules/cjs/loader:1699:10)
    at Module.load (node:internal/modules/cjs/loader:1313:32)
    at Function._load (node:internal/modules/cjs/loader:1123:12)
    at TracingChannel.traceSync (node:diagnostics_channel:322:14)
    at wrapModuleLoad (node:internal/modules/cjs/loader:217:24)
    at Module.require (node:internal/modules/cjs/loader:1335:12)
    at require (node:internal/modules/helpers:136:16)
    at Object.<anonymous> (/app/routes/main.js:22:21)
Node.js v22.13.1

[Zoey2936]

Ohh, the image was not build because of a merge conföict, dhoild be built now

[alexsalex]

Super! Looks almost good))))

[OIDC     ] › ℹ  info      Initializing OAuth flow
[OIDC     ] › ℹ  info      Authorization URL: https://&response_type=code
[OIDC     ] › ℹ  info      Processing callback
[OIDC     ] › ✖  error     Callback error: "currentUrl" must be an instance of URL, or Request

Here something with languge:

[Zoey2936]

Should be fixed, I think

[alexsalex]

[OIDC     ] › ℹ  info      Initializing OAuth flow
[OIDC     ] › ℹ  info      Authorization URL: https://&response_type=code
[OIDC     ] › ℹ  info      Processing callback
[OIDC     ] › ✖  error     Callback error: invalid response encountered

[Zoey2936]

Did you removed the domain or is it missing?

[alexsalex]

I removed it

[alexsalex]

[OIDC     ] › ℹ  info      Authorization URL: https://piu.piu.net/application/o/authorize/?redirect_uri=https%3A%2F%2Fnpm.pim.pim%3A81%2Fapi%2Foidc%2Fcallback&scope=openid+email+profile&code_challenge=LVplp8eDjo8dimC8TBIgMld2k0JkCL4qSfO3bTHJF_8&code_challenge_method=S256&client_id=clientid&response_type=code
[OIDC     ] › ℹ  info      Processing callback
[OIDC     ] › ✖  error     Callback error: invalid response encountered

[Zoey2936]

Ok, I will check this later

[Zoey2936]

do you use openid or oauth?

[alexsalex]

OAuth2/OpenID Provider - shows in Authentik

But looks like OAuth 2.0 provider

[Zoey2936]

ok since I in the upgrade to v6 of the client I only mad eit work with openid, not oauth, will try to make it alsow ork with oauth

[alexsalex]

NPM with this PR works without any issue with the same settings, even same application in Authentik.

[Zoey2936]

Yes I know, I will adjust it to work with oauth too

[alexsalex]

Any luck?)

[Zoey2936]

sorry, I had no time yeet

[alexsalex]

No worries) I will wait. Take your time.