Hello everyone!
Ive been upgrading my homelab to use PocketID SSO where possible for all my logins. I ran into an issue with OPNsense which only supported Single-Password solution. I could have proxied my SSO with a LDAP or Radius server (or just use Authentik), but it was adding extra complexity and not what i wanted (a single button to sign in).
So... I took it amongst myself to implement OpenID Connect into OPNsense as a plugin! It appears as a Access > Servers and will let you configure a OIDC client to login with a single press!
The plugin work flawlessly and in a pretty good state at the moment, however I would like a code review and tell me what I might be missing. Since it is a security related plugin, more eyes the better.
I do also use some _questionable_ hacks to get the custom ui for editing configuration. Im not sure if its worth hacking up the UI with JS or just moving to a seperate menu item and not use the Access > Server menu (which would suck as a UX discoverability perspective).
Anyways, i have it self hosted on my gitea (for super fast FreeBSD CI), but i have a mirror available on GitHub:
https://github.com/Lachee/opnsense-oidc
Please let me know what you think :)
(https://camo.githubusercontent.com/603ae8c035c67a4a6c480ad95433f801dcf5ed9c08f720634c23cfbf5c323311/68747470733a2f2f692e6c752e6a652f323032352f66697265666f785f7136644e6e4f614138622e706e67)
(https://camo.githubusercontent.com/9f3fb27f720fd9d16c4c662606090b0772be3ff7a709b9bbe9549c591cfa58ac/68747470733a2f2f692e6c752e6a652f323032352f446973636f72645f6766414d44545066756e2e706e67)
Just FYI (without discredeting any of the above efforts) the next business edition in october will include OIDC for WebGUI, Captive Portal and OPNWAF (Apache2 based Web Application Firewall).
So you could get a secure implementation that is supported and maintained by the project directly.
Quote from: Monviech (Cedrik) on September 13, 2025, 01:25:58 PMJust FYI (without discredeting any of the above efforts) the next business edition in october will include OIDC for WebGUI, Captive Portal and OPNWAF (Apache2 based Web Application Firewall).
So you could get a secure implementation that is supported and maintained by the project directly.
Yeah i was aware and I am utilising some of the initial framework they have added. However, I am using opnsense for my personal internet and do not have a business license. So i created a smaller (and probably less featured) solution for the open source version.
At the time I also thought the SSO was only for the Captive Portal too hehe. Oh well, this solution I made still suits my needs :)
Yeah its always nice to build something for yourself, I'm happy that it works.
I wanted to hint at the business edition including the feature soon, since its also certified independently each release, so security concerns are addressed.
https://docs.opnsense.org/security.html#framework-type-of-testing-lince
This means for an authentication feature like this there is a little more "compliency" (if thats the right word xD)
Very nice work. I would like to have it as well. The other people do have a point regarding security, but on the other hand Franco also wrote that contributions are well-come here https://forum.opnsense.org/index.php?topic=41661.0. So maybe prove a PR and get feedback?
Quote from: Monviech (Cedrik) on September 13, 2025, 01:25:58 PMthe next business edition in october will include OIDC for WebGUI, Captive Portal and OPNWAF (Apache2 based Web Application Firewall).
Do you know if OIDC support for OpenVPN is also in the works?
That is the only reason I can't deploy OPNsense at the moment, because we deploy FortiClient with SAML authentication for our customers at the moment.
Anyone having luck with the new SSO feature?
I tried to setup OIDC with Authentik for admin ui login, it forwards to authetik, does auth and jumps back to OPNsense, no login, no error, just the login mask of OPNsense. I enabled "Extensive log (debug)" in OPNsense, but there is absolutly nothing in any of the logs (audit,backend,general,web).
update:
got more log information by looking in /var/log/audit/latest.log
got two lines that containt this:
... OIDC requestUserInfo received --> ...
... Successful login for user '' from: ...
Looks like there is no username, the token provides email and preferedUsername, tried both, but OPNsense shows just ''
We tested it with Azure and JumpCloud, it should work with any OpenID Connect certified identity provider.
Quote from: r.vandijk on October 16, 2025, 10:43:27 AMQuote from: Monviech (Cedrik) on September 13, 2025, 01:25:58 PMthe next business edition in october will include OIDC for WebGUI, Captive Portal and OPNWAF (Apache2 based Web Application Firewall).
Do you know if OIDC support for OpenVPN is also in the works?
That is the only reason I can't deploy OPNsense at the moment, because we deploy FortiClient with SAML authentication for our customers at the moment.
Right now it does not support OpenVPN. But you could force SSO in a Captive Portal on top of OpenVPN. The Captive Portal has SSO now.
Quote from: Monviech (Cedrik) on October 16, 2025, 08:21:29 PMWe tested it with Azure and JumpCloud, it should work with any OpenID Connect certified identity provider.
I use Authentik on my private OPNsense (Business Edition) and plan to use EntraID (Azure) on our company OPNsense for WAF, lets see if this behaves differently.
I've just purchased a business licence to try this out. I have followed the documentation I could find and am able to log in with Entra ID however I can't quite figure out how to configure group based permissions. Frustratingly I can't seem to find a specific guide for setting up OIDC with Entra ID.
So how do groups work? I don't see anything useful in the logs either
This plugin does not require the business license. Whether it works for your use case I do not know. I have been using it in a simple private setup (Authentik) and am very happy.
For the OIDC you get in the business version - this seems to be the documentation https://docs.opnsense.org/vendor/deciso/oidc.html. Suggest you move your question to another topic if it is not for Lachee version.
@Monviech (Cedrik)
honestly, I do not think its a good idea to start hiding functions like this behind a paywall. I saw lot of forking projects in the past for exactly this reason. Just explain, why paywalling OICD and not LDAP, Radius or else?
This is far from "open".
Those functions should be open for everyone.
@Heliox keep up the work, let me know if you need support with anything.