Skip to content

Add native support for external authentication providers such as OAuth2 / OIDC #7885

Description

@gogo25171

What is your suggestion?

I would like code-server to support native authentication with standard external authentication systems, such as OAuth2, OpenID Connect (OIDC), SAML, LDAP, or other common authentication protocols.

Today, code-server mainly supports authentication through a configured password, either plain or hashed, or by disabling built-in authentication and placing a reverse proxy in front of code-server to handle authentication externally.

It would be useful to have first-class support for external identity providers directly in code-server configuration, for example:

  • OAuth2 / OpenID Connect providers
  • Enterprise SSO providers
  • LDAP / Active Directory
  • Generic authentication backends through a documented interface

Example configuration could look like:

auth: oidc
oidc:
  issuer-url: https://auth.example.com
  client-id: code-server
  client-secret: ${OIDC_CLIENT_SECRET}
  redirect-uri: https://code-server.example.com/callback
  allowed-groups:
    - developers

Why do you want this feature?

Using only a static password is not ideal for many environments, especially in enterprise or shared infrastructure contexts.

Native support for external authentication would provide several benefits:

  • Centralized authentication management
  • Better integration with existing identity providers
  • Support for multi-factor authentication through the identity provider
  • Easier user lifecycle management, such as onboarding and offboarding
  • Better security posture compared to sharing or rotating a single password
  • Simplified deployment, without requiring every user to configure and maintain a reverse proxy only for authentication

This would make code-server easier to deploy securely in professional, internal, and enterprise environments.

Are there any workarounds to get this functionality today?

Yes. The current workarounds are:

  1. Configure a password directly in the code-server configuration, either plain text or hashed.
  2. Disable or bypass code-server authentication and put a reverse proxy in front of it, such as NGINX, Traefik, Caddy, oauth2-proxy, Authelia, Keycloak Gatekeeper, etc.

However, these approaches have limitations:

  • Password-based authentication does not integrate well with existing SSO systems.
  • Reverse proxy authentication adds operational complexity.
  • Each deployment must solve the same authentication problem independently.
  • Misconfiguration can easily lead to security issues.
  • Some environments prefer application-level authentication rather than relying only on an external proxy.

Are you interested in submitting a PR for this?

Not at the moment, as this would likely require design discussion around authentication architecture, provider configuration, session handling, and backward compatibility.

However, I would be interested in testing the feature, reviewing proposals, or helping provide feedback on expected enterprise/SSO use cases.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementSome improvement that isn't a feature

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions