GitHub Issuesdemand signalby nsauterscored by google/gemini-2.5-flash

binwiederhier/ntfy: OIDC for User Auth

Opportunity

AI-buildable

Traction

Creativity

The take

effort: ~1-2 weeks

This is a feature request for ntfy, an open-source push notification system, to add OpenID Connect (OIDC) for user authentication. The user wants to integrate ntfy with their existing OIDC setup, avoiding separate local accounts. This would allow ntfy to be used in home lab environments or small multi-user setups that already leverage OIDC.

Demand & gap

Vitamindemand 54

Demand

Will. to pay

Gap

Buyer

Developers

The gap in what exists: Many open-source projects lack robust, modern authentication integrations like OIDC, forcing users to manage separate accounts or use less secure methods.
Wedge to win: Target open-source projects that are popular in self-hosting/home lab communities, offering OIDC as a key integration for existing users who already manage identities with OIDC.
Reputation value (worth doing free for proof) — 70/100: A well-implemented OIDC PR merged into a widely-used project like ntfy would be significant proof-of-work for security-conscious dev-tool clients.
Likely monetization: unclear
Incumbents to beat: KeycloakAuth0Okta

Deliver it

A starter prompt for Claude Code, what you'll need, and how to reach them.

You are an expert Go developer. Your task is to implement OIDC (OpenID Connect) user authentication for the ntfy server, as requested in GitHub issue #1596 (https://github.com/binwiederhier/ntfy/issues/1596). The core requirement is to allow users to authenticate with an OIDC provider instead of managing local ntfy accounts.

Here's the plan:
1. Fork the existing `ntfy` repository (GoLang).
2. Identify the current authentication flow and where to integrate OIDC.
3. Use `go-oidc` (or a similar robust Go OIDC client library) to manage the OIDC flow.
4. Implement the OIDC authorization code grant flow. This includes:
a. Redirecting users to the OIDC provider's authorization endpoint.
b. Handling the callback from the OIDC provider, exchanging the authorization code for tokens.
c. Verifying the ID token and extracting user information.
d. Establishing a secure session for the authenticated OIDC user within ntfy.
5. Add server-side configuration options for `OIDC_ISSUER_URL`, `OIDC_CLIENT_ID`, `OIDC_CLIENT_SECRET`, and optionally `OIDC_SCOPES` and `OIDC_REDIRECT_URL`.
6. For the MVP, focus on a basic web-based login flow, not command-line or mobile client OIDC, initially.
7. Ensure that existing local account authentication remains functional alongside the new OIDC option.
8. Provide clear instructions for setting up OIDC authentication in the `README`.

Build/Verify Gate: A fully functional ntfy server that allows users to log in successfully using an OIDC provider (e.g., Keycloak, Google) and send push notifications with their OIDC-authenticated session. The solution should be robust, secure, and maintainable.

How you'd build it

1Fork the ntfy repository (written in Go) and analyze the existing authentication mechanism.
2Integrate an OIDC client library for Go (e.g., go-oidc) to handle authentication flows.
3Implement OIDC login, token verification, and user session management within ntfy's server.
4Add configuration options for OIDC provider details (issuer URL, client ID, client secret, scopes).
5Develop a minimal UI/API for initiating the OIDC authentication redirect and handling callbacks.
6Add test cases for OIDC integration and secure configuration practices.

Risks & moats

Integrating a new authentication method into an existing Go codebase might uncover unexpected complexities or require significant refactoring.
Properly securing OIDC implementation (e.g., state management, nonce verification, PKCE) can be tricky and requires careful attention to detail.
The ntfy project maintainers might have a specific vision for authentication that conflicts with a direct OIDC implementation, requiring negotiation for a PR.
Dealing with various OIDC providers and their subtle differences could introduce integration challenges.

Original context

:bulb: **Idea** I really like how OIDC is getting more and more used even in home setups. Im using it too for most of my services since i support a whole family with access to different services. I really want to move from Telegram Bots for notifications to a dedicated push notification system (because telegram annoys me). But i dont want to have local accounts on my nfty server when every other system uses oidc. I would love to have oicd for auth in nfty. :computer: ntfy server

You may also want to look at

Prerequisites — cost & what to learn

ntfy GitHub repository accessFree · Free✓ in your stack
Access to public GitHub repository.
GoLang development environmentFree · Free✓ in your stack
Standard Go development setup.
OIDC provider (e.g., Keycloak, Google Identity Platform, Okta)Free tier · Free tier available for development/testing, paid for larger scale. Keycloak can be self-hosted for free.📚 needs study
New: configuring an OIDC client application in a provider like Keycloak or Google - ~half a day.
Learn it: Search getting-started ↗
Get set up: Create the account/instance, generate the API key or credentials, and add them to your project's environment variables.
Understanding of OIDC protocolFree · Free📚 needs study
New: Deep dive into OIDC authorization code flow, token verification, PKCE - ~1-2 days.
Learn it: Search getting-started ↗