Hello everyone!
Ive been upgrading my homelab to use PocketID SSO where possible for all my logins. I ran into an issue with OPNsense which only supported Single-Password solution. I could have proxied my SSO with a LDAP or Radius server (or just use Authentik), but it was adding extra complexity and not what i wanted (a single button to sign in).
So... I took it amongst myself to implement OpenID Connect into OPNsense as a plugin! It appears as a Access > Servers and will let you configure a OIDC client to login with a single press!
The plugin work flawlessly and in a pretty good state at the moment, however I would like a code review and tell me what I might be missing. Since it is a security related plugin, more eyes the better.
I do also use some _questionable_ hacks to get the custom ui for editing configuration. Im not sure if its worth hacking up the UI with JS or just moving to a seperate menu item and not use the Access > Server menu (which would suck as a UX discoverability perspective).
Anyways, i have it self hosted on my gitea (for super fast FreeBSD CI), but i have a mirror available on GitHub:
https://github.com/Lachee/opnsense-oidc
Please let me know what you think :)
(https://camo.githubusercontent.com/603ae8c035c67a4a6c480ad95433f801dcf5ed9c08f720634c23cfbf5c323311/68747470733a2f2f692e6c752e6a652f323032352f66697265666f785f7136644e6e4f614138622e706e67)
(https://camo.githubusercontent.com/9f3fb27f720fd9d16c4c662606090b0772be3ff7a709b9bbe9549c591cfa58ac/68747470733a2f2f692e6c752e6a652f323032352f446973636f72645f6766414d44545066756e2e706e67)
Just FYI (without discredeting any of the above efforts) the next business edition in october will include OIDC for WebGUI, Captive Portal and OPNWAF (Apache2 based Web Application Firewall).
So you could get a secure implementation that is supported and maintained by the project directly.
Quote from: Monviech (Cedrik) on September 13, 2025, 01:25:58 PMJust FYI (without discredeting any of the above efforts) the next business edition in october will include OIDC for WebGUI, Captive Portal and OPNWAF (Apache2 based Web Application Firewall).
So you could get a secure implementation that is supported and maintained by the project directly.
Yeah i was aware and I am utilising some of the initial framework they have added. However, I am using opnsense for my personal internet and do not have a business license. So i created a smaller (and probably less featured) solution for the open source version.
At the time I also thought the SSO was only for the Captive Portal too hehe. Oh well, this solution I made still suits my needs :)
Yeah its always nice to build something for yourself, I'm happy that it works.
I wanted to hint at the business edition including the feature soon, since its also certified independently each release, so security concerns are addressed.
https://docs.opnsense.org/security.html#framework-type-of-testing-lince
This means for an authentication feature like this there is a little more "compliency" (if thats the right word xD)