Skip to content

External Authentication

OAuth

Providers

To enable OAuth set the env var OAUTH_PROVIDERS to any of the following providers:

Provider Value
Google google
GitHub github
Generic OIDC oidc

You can enable multiple providers by separating them with a comma:

e.g. google,github

Redirect URIs

You have to configure the following redirect URIs in your OAuth provider:

  • https://<your-domain>/api/auth/<provider>/callback Used to log in to with the provider
  • https://<your-domain>/api/auth/<provider>/link Used to link an existing account to the provider

If your provider does not support multiple redirect URIs (e.g. GitHub) but allows multiple URIs under the same base, then configure:

  • https://<your-domain>/api/auth/<provider>/

Auto Register

To automatically register users that log in with an OAuth provider, set the following environment variable to true:

Env Required Default Description
OAUTH_AUTO_REGISTER ✖️ false Enable auto-registration

When enabled:

  • If a user logs in with an email address that is not yet registered, a new account will be created for them.

  • If a user logs in with an email address that is already registered, their account will be linked to the OAuth provider (if not already linked), regardless of the value of OAUTH_AUTO_REGISTER.

 Security

Users will be created with Admin Permissions, as the permissions system is not yet implemented. Only enable this if you trust all users that can log in with the OAuth provider.

Use Allowed Domains to restrict which users can log in.

Allowed Domains

To only allow users with an email address from a specific domain to log in, set the following environment variable to the allowed domain.

Env Required Default Description
OAUTH_ALLOWED_DOMAINS ✖️ - Allowed email domains

You can allow multiple domains by separating them with a comma:

e.g. example.com,example.org

Google

Env Required Description
OAUTH_GOOGLE_CLIENT_ID ✔️ Google Client ID
OAUTH_GOOGLE_CLIENT_SECRET ✔️ Google Client Secret

Setup

  1. Go to Google Cloud Console
  2. Create an OAuth 2.0 Client ID (Web application)
  3. Add Authorized redirect URI: See Redirect URIs
  4. Copy the Client ID and Client Secret to the environment variables

GitHub

Env Required Description
OAUTH_GITHUB_CLIENT_ID ✔️ GitHub Client ID
OAUTH_GITHUB_CLIENT_SECRET ✔️ GitHub Client Secret

Setup

  1. Go to GitHub Developer Settings
  2. Create a new OAuth App
  3. Add Authorization callback URL: See Redirect URIs
  4. Create a new client secret
  5. Copy the Client ID and Client Secret to the environment variables

Generic OIDC

This supports generic OIDC providers like Authelia, Authentik, etc.

The provider needs to support:

  • PKCE
  • default scopes: openid email profile
  • Client Secret Authentication client_secret_post

The provider needs to be available with HTTPS and have a valid certificate.

Env Required Default Example Description
OAUTH_OIDC_SERVER ✔️ - https://auth.example.com OIDC Server
OAUTH_OIDC_CLIENT_ID ✔️ - - OIDC Client ID
OAUTH_OIDC_CLIENT_SECRET ✔️ - - OIDC Client Secret
OAUTH_OIDC_NAME ✖️ OIDC Authelia Provider Name

Authelia Setup

Generate Client ID and Secret:

# Client ID
docker run --rm authelia/authelia:latest authelia crypto rand --length 72 --charset rfc3986
# Client Secret
docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986

- client_id: '...'
  client_name: wg-easy
  client_secret: '$pbkdf2-...'
  redirect_uris:
      - https://<your-domain>/api/auth/oidc/callback
      - https://<your-domain>/api/auth/oidc/link
  scopes:
      - openid
      - profile
      - email
  authorization_policy: one_factor
  pre_configured_consent_duration: 1 week
  require_pkce: true
  token_endpoint_auth_method: client_secret_post

Generic OAuth

Not currently supported

Disable Password Authentication

To disable password-based authentication and only allow login via OAuth providers, set the following environment variable to true:

Env Required Default Description
DISABLE_PASSWORD_AUTH ✖️ false Disable password authentication

When enabled:

  • Users will not be able to log in with a password

Access Recovery

Before disabling password authentication, ensure that at least one OAuth provider is configured and that you have successfully linked an administrator account.

If no login method is available, you will not be able to log in to the application and will need to reset the configuration to regain access.