Allow Custom Arbitrary OAuth2 Multi-User authentication

[hexxone]

Describe the feature

I would like Khoj to support authentication via arbitrary/custom OAuth2 providers, not just Google. This would allow users to configure Khoj to use any standards-compliant OAuth2 identity provider, such as Authentik, Auth0, Okta, or other self-hosted SSO solutions. The feature should allow administrators to specify the OAuth2 endpoints, client ID/secret, scopes, and user info mapping in the configuration.

Use Case

Many organizations use their own identity providers for SSO, such as Authentik, Keycloak, Okta, or other OAuth2-compliant services, rather than Google. Supporting custom OAuth2 providers would allow:

• Integration with internal or self-hosted SSO solutions (e.g., Authentik) for centralized user management and access control.
• Compliance with organizational security policies that require use of internal authentication systems.
• Easier onboarding and offboarding of users via existing SSO infrastructure.
• Use in environments where Google accounts are not permitted or practical.

For example, in my case, I run an Authentik server as the central SSO for all my self-hosted services. I would like Khoj to authenticate users via Authentik, so that access is managed in one place and users have a seamless login experience.

Proposed Solution

Add support for configuring arbitrary OAuth2 providers in Khoj’s authentication settings. This could be implemented by:

• Allowing the admin to specify OAuth2 endpoints (authorization, token, userinfo), client ID/secret, scopes, and user info mapping (e.g., which field is used for the username/email).
• Providing a generic OAuth2 configuration section in the config file or admin UI.
• Optionally, supporting OIDC (OpenID Connect) discovery for easier setup.
• Ensuring that the login flow, user creation, and session management work with any standards-compliant OAuth2 provider.

Reference implementation ideas:

Many open source projects (e.g., Outline, Gitea, Nextcloud) support generic OAuth2/OIDC providers in addition to Google, GitHub, etc.

Additional Information

Authentik OAuth2 Provider Documentation

Link to Discord or Github discussion

No response

[wywerne]

+1
https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html, https://pypi.org/project/fastapi-oidc/, https://github.com/SAML-Toolkits/python-saml

[hexxone]

I have taken a look at the code and think it should not be too much work because khoj's Google Auth already uses a "generic" OAuth library.

It should just be a matter of providing a customizable configuration for it, using some "dynamic" routing and rendering a different/custom button for it.

E.g.. Config:

@dataclass
class OAuth2UserInfoMapping:
    email: Optional[str] = "email"
    name: Optional[str] = "name"
    picture: Optional[str] = "picture"


@dataclass
class CustomOAuth2ProviderConfig:
    name: str
    client_id: str
    client_secret: str
    authorize_url: str
    token_url: str
    userinfo_url: str
    scope: str = "openid email profile"
    user_info_mapping: OAuth2UserInfoMapping = field(default_factory=OAuth2UserInfoMapping)

Then OAuth registration needs to be done for custom endpoint(s):

khoj/src/khoj/routers/auth.py

Line 63 in c0689b2

oauth.register(name="google", server_metadata_url=CONF_URL, client_kwargs={"scope": "openid email profile"})

Afterwards UI needs to render additional button(s):

khoj/src/interface/web/app/components/loginPrompt/loginPrompt.tsx

Line 449 in c0689b2

<Button

Then OAuth callback probably needs additional provider_name-parameter and decision logic:

khoj/src/khoj/routers/auth.py

Line 212 in c0689b2

@auth_router.get("/redirect")

And write some tests when possible...

[justinbadal]

Can this please be implemented?