Support external authentication

[asosnovsky]

So I am using authentik for authenticating services on my homelab and traefik as my reverse-proxy, so I am able to guard the application via SSO with https headers.
It's kind of silly for me to maintain two line of auth, would it be possible to either:

• Allow an noauth url of some sort (maybe just a header with a key? e.g. how it's done with home-assistant)
• Support standard OAuth2/OpenID e.g. Immich

[koush]

I'm probably going to need to extend scrypted to support an auth plugin. the underlying issue is that some url patterns should be no auth so it can be reached by various services (google home, Alexa, nvr, push notifications, etc)

[asosnovsky]

I see that for ha_scrypted you are hacking something with a temporary token in an iframe https://github.com/koush/ha_scrypted/blob/0b2ec14b14afeedbff588da694f8fb22a7899947/custom_components/scrypted/http.py#L60

I think one easy way to support this, would be to just implement this by having a way to generate long-lived-tokens that can be used for authentication. I feel like supporting the open-auth specs would take too long to implement.

[omayhemo]

I would LOVE to see Authentik (OID) supported.

[whatsthecodeword]

Alternatively, please allow the ability to disable authentication and it can be placed behind Authentik's proxy or similar.

[ablyes]

+1 following this topic since i have scrypted with a simple login/pass and i'd like to use authetik.

[adrianipopescu]

aye this seems like a sticking point to me, lately -- centralize app identity management and control

[ACodingGenie]

This would be a really neat addition into the app. Personally, I use authelia (previously used Authentik) and OIDC support or even a way for Scrypted to respect Remote-User / Remote-Role headers like Frigate would make the user management easier. Currently, we are able to set an environment variable to set the default login username but that breaks the SSO security model since there's no RBAC. Please, consider implementing even this simple approach as it would greatly improve the user experience w/o having to maintain separate logins. We might be able to allowlist certain url patterns at the proxy level.

Please consider.