What is your suggestion?
I would like code-server to support native authentication with standard external authentication systems, such as OAuth2, OpenID Connect (OIDC), SAML, LDAP, or other common authentication protocols.
Today, code-server mainly supports authentication through a configured password, either plain or hashed, or by disabling built-in authentication and placing a reverse proxy in front of code-server to handle authentication externally.
It would be useful to have first-class support for external identity providers directly in code-server configuration, for example:
- OAuth2 / OpenID Connect providers
- Enterprise SSO providers
- LDAP / Active Directory
- Generic authentication backends through a documented interface
Example configuration could look like:
auth: oidc
oidc:
issuer-url: https://auth.example.com
client-id: code-server
client-secret: ${OIDC_CLIENT_SECRET}
redirect-uri: https://code-server.example.com/callback
allowed-groups:
- developers
Why do you want this feature?
Using only a static password is not ideal for many environments, especially in enterprise or shared infrastructure contexts.
Native support for external authentication would provide several benefits:
- Centralized authentication management
- Better integration with existing identity providers
- Support for multi-factor authentication through the identity provider
- Easier user lifecycle management, such as onboarding and offboarding
- Better security posture compared to sharing or rotating a single password
- Simplified deployment, without requiring every user to configure and maintain a reverse proxy only for authentication
This would make code-server easier to deploy securely in professional, internal, and enterprise environments.
Are there any workarounds to get this functionality today?
Yes. The current workarounds are:
- Configure a password directly in the code-server configuration, either plain text or hashed.
- Disable or bypass code-server authentication and put a reverse proxy in front of it, such as NGINX, Traefik, Caddy, oauth2-proxy, Authelia, Keycloak Gatekeeper, etc.
However, these approaches have limitations:
- Password-based authentication does not integrate well with existing SSO systems.
- Reverse proxy authentication adds operational complexity.
- Each deployment must solve the same authentication problem independently.
- Misconfiguration can easily lead to security issues.
- Some environments prefer application-level authentication rather than relying only on an external proxy.
Are you interested in submitting a PR for this?
Not at the moment, as this would likely require design discussion around authentication architecture, provider configuration, session handling, and backward compatibility.
However, I would be interested in testing the feature, reviewing proposals, or helping provide feedback on expected enterprise/SSO use cases.
What is your suggestion?
I would like code-server to support native authentication with standard external authentication systems, such as OAuth2, OpenID Connect (OIDC), SAML, LDAP, or other common authentication protocols.
Today, code-server mainly supports authentication through a configured password, either plain or hashed, or by disabling built-in authentication and placing a reverse proxy in front of code-server to handle authentication externally.
It would be useful to have first-class support for external identity providers directly in code-server configuration, for example:
Example configuration could look like:
Why do you want this feature?
Using only a static password is not ideal for many environments, especially in enterprise or shared infrastructure contexts.
Native support for external authentication would provide several benefits:
This would make code-server easier to deploy securely in professional, internal, and enterprise environments.
Are there any workarounds to get this functionality today?
Yes. The current workarounds are:
However, these approaches have limitations:
Are you interested in submitting a PR for this?
Not at the moment, as this would likely require design discussion around authentication architecture, provider configuration, session handling, and backward compatibility.
However, I would be interested in testing the feature, reviewing proposals, or helping provide feedback on expected enterprise/SSO use cases.