OpenID Connect SSO plugin

Started by lachee, September 13, 2025, 07:28:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 13, 2025, 07:28:42 AM
Hello everyone!

Ive been upgrading my homelab to use PocketID SSO where possible for all my logins. I ran into an issue with OPNsense which only supported Single-Password solution. I could have proxied my SSO with a LDAP or Radius server (or just use Authentik), but it was adding extra complexity and not what i wanted (a single button to sign in).

So... I took it amongst myself to implement OpenID Connect into OPNsense as a plugin! It appears as a Access > Servers and will let you configure a OIDC client to login with a single press!

The plugin work flawlessly and in a pretty good state at the moment, however I would like a code review and tell me what I might be missing. Since it is a security related plugin, more eyes the better.

I do also use some _questionable_ hacks to get the custom ui for editing configuration. Im not sure if its worth hacking up the UI with JS or just moving to a seperate menu item and not use the Access > Server menu (which would suck as a UX discoverability perspective).

Anyways, i have it self hosted on my gitea (for super fast FreeBSD CI), but i have a mirror available on GitHub:
https://github.com/Lachee/opnsense-oidc

Please let me know what you think :)


September 13, 2025, 01:25:58 PM #1 Last Edit: September 13, 2025, 01:31:29 PM by Monviech (Cedrik)
Just FYI (without discredeting any of the above efforts) the next business edition in october will include OIDC for WebGUI, Captive Portal and OPNWAF (Apache2 based Web Application Firewall).

So you could get a secure implementation that is supported and maintained by the project directly.
Hardware:
DEC740
September 13, 2025, 01:59:40 PM #2
Quote from: Monviech (Cedrik) on September 13, 2025, 01:25:58 PMJust FYI (without discredeting any of the above efforts) the next business edition in october will include OIDC for WebGUI, Captive Portal and OPNWAF (Apache2 based Web Application Firewall).

So you could get a secure implementation that is supported and maintained by the project directly.

Yeah i was aware and I am utilising some of the initial framework they have added. However, I am using opnsense for my personal internet and do not have a business license. So i created a smaller (and probably less featured) solution for the open source version.

At the time I also thought the SSO was only for the Captive Portal too hehe. Oh well, this solution I made still suits my needs :)
September 13, 2025, 03:06:40 PM #3
Yeah its always nice to build something for yourself, I'm happy that it works.

I wanted to hint at the business edition including the feature soon, since its also certified independently each release, so security concerns are addressed.

https://docs.opnsense.org/security.html#framework-type-of-testing-lince

This means for an authentication feature like this there is a little more "compliency" (if thats the right word xD)
Hardware:
DEC740
September 20, 2025, 08:41:10 PM #4
Very nice work. I would like to have it as well. The other people do have a point regarding security, but on the other hand Franco also wrote that contributions are well-come here https://forum.opnsense.org/index.php?topic=41661.0. So maybe prove a PR and get feedback?
October 16, 2025, 10:43:27 AM #5
Quote from: Monviech (Cedrik) on September 13, 2025, 01:25:58 PMthe next business edition in october will include OIDC for WebGUI, Captive Portal and OPNWAF (Apache2 based Web Application Firewall).

Do you know if OIDC support for OpenVPN is also in the works?
That is the only reason I can't deploy OPNsense at the moment, because we deploy FortiClient with SAML authentication for our customers at the moment.
October 16, 2025, 06:56:27 PM #6 Last Edit: October 16, 2025, 07:40:55 PM by Cerberus
Anyone having luck with the new SSO feature?

I tried to setup OIDC with Authentik for admin ui login, it forwards to authetik, does auth and jumps back to OPNsense, no login, no error, just the login mask of OPNsense. I enabled "Extensive log (debug)" in OPNsense, but there is absolutly nothing in any of the logs (audit,backend,general,web).

update:
got more log information by looking in /var/log/audit/latest.log

got two lines that containt this:

... OIDC requestUserInfo received --> ...
... Successful login for user '' from: ...

Looks like there is no username, the token provides email and preferedUsername, tried both, but OPNsense shows just ''
October 16, 2025, 08:21:29 PM #7
We tested it with Azure and JumpCloud, it should work with any OpenID Connect certified identity provider.
Hardware:
DEC740
October 16, 2025, 08:23:11 PM #8
Quote from: r.vandijk on October 16, 2025, 10:43:27 AM
Quote from: Monviech (Cedrik) on September 13, 2025, 01:25:58 PMthe next business edition in october will include OIDC for WebGUI, Captive Portal and OPNWAF (Apache2 based Web Application Firewall).

Do you know if OIDC support for OpenVPN is also in the works?
That is the only reason I can't deploy OPNsense at the moment, because we deploy FortiClient with SAML authentication for our customers at the moment.

Right now it does not support OpenVPN. But you could force SSO in a Captive Portal on top of OpenVPN. The Captive Portal has SSO now.
Hardware:
DEC740
October 17, 2025, 10:56:29 AM #9
Quote from: Monviech (Cedrik) on October 16, 2025, 08:21:29 PMWe tested it with Azure and JumpCloud, it should work with any OpenID Connect certified identity provider.

I use Authentik on my private OPNsense (Business Edition) and plan to use EntraID (Azure) on our company OPNsense for WAF, lets see if this behaves differently.
Print
Go Up Pages1
User actions