The web console supports two authentication methods: Local Authentication (default) - with Username/password stored in the local database
and the OAuth 2.0 Authentication, a- Single Sign-On via an external identity provider.
You can enable both methods simultaneously or use OAuth exclusively.
Edit config.json{ "web_console_enabled": true, "web_console_port": 8090, "web_console_oauth_enabled": true, "web_console_oauth_provider": "Keycloak", "web_console_oauth_client_id": "activedebiansync-console", "web_console_oauth_client_secret": "your-client-secret", "web_console_oauth_auth_url": "https://auth.example.com/realms/main/protocol/openid-connect/auth", "web_console_oauth_token_url": "https://auth.example.com/realms/main/protocol/openid-connect/token", "web_console_oauth_userinfo_url": "https://auth.example.com/realms/main/protocol/openid-connect/userinfo", "web_console_oauth_scopes": "openid profile email", "web_console_oauth_redirect_url": "", "web_console_oauth_admin_group": "admin", "web_console_oauth_allow_local": true}
| Field | Type | Default | Description |
|---|---|---|---|
web_console_oauth_enabled |
bool | false |
Enable OAuth authentication |
web_console_oauth_provider |
string | "" |
Display name for the OAuth provider (shown on login button) |
web_console_oauth_client_id |
string | "" |
OAuth client ID |
web_console_oauth_client_secret |
string | "" |
OAuth client secret |
web_console_oauth_auth_url |
string | "" |
OAuth authorization endpoint URL |
web_console_oauth_token_url |
string | "" |
OAuth token endpoint URL |
web_console_oauth_userinfo_url |
string | "" |
OAuth userinfo endpoint URL (optional) |
web_console_oauth_scopes |
string | "openid profile email" |
OAuth scopes (space-separated) |
web_console_oauth_redirect_url |
string | "" |
OAuth redirect URL (auto-generated if empty) |
web_console_oauth_admin_group |
string | "admin" |
Group/role name that grants admin privileges |
web_console_oauth_allow_local |
bool | true |
Allow local username/password login alongside OAuth |
Keycloak
{ "web_console_oauth_provider": "Keycloak", "web_console_oauth_auth_url": "https://keycloak.example.com/realms/{realm}/protocol/openid-connect/auth", "web_console_oauth_token_url": "https://keycloak.example.com/realms/{realm}/protocol/openid-connect/token", "web_console_oauth_userinfo_url": "https://keycloak.example.com/realms/{realm}/protocol/openid-connect/userinfo"}
Azure AD / Entra ID
{ "web_console_oauth_provider": "Microsoft", "web_console_oauth_auth_url": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize", "web_console_oauth_token_url": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token", "web_console_oauth_userinfo_url": "https://graph.microsoft.com/oidc/userinfo", "web_console_oauth_scopes": "openid profile email"}
{ "web_console_oauth_provider": "Google", "web_console_oauth_auth_url": "https://accounts.google.com/o/oauth2/v2/auth", "web_console_oauth_token_url": "https://oauth2.googleapis.com/token", "web_console_oauth_userinfo_url": "https://openidconnect.googleapis.com/v1/userinfo", "web_console_oauth_scopes": "openid profile email"}
Auth0
{ "web_console_oauth_provider": "Auth0", "web_console_oauth_auth_url": "https://{tenant}.auth0.com/authorize", "web_console_oauth_token_url": "https://{tenant}.auth0.com/oauth/token", "web_console_oauth_userinfo_url": "https://{tenant}.auth0.com/userinfo"}
GitHub
{ "web_console_oauth_provider": "GitHub", "web_console_oauth_auth_url": "https://github.com/login/oauth/authorize", "web_console_oauth_token_url": "https://github.com/login/oauth/access_token", "web_console_oauth_userinfo_url": "https://api.github.com/user", "web_console_oauth_scopes": "read:user user:email"}
When a user logs in via OAuth:
Admin status is determined by group/role membership
The web_console_oauth_admin_group setting specifies which group or role grants admin access:
Users without admin privileges can still view most pages but cannot modify settings.
Both OAuth and Local Login (Default)
When web_console_oauth_allow_local is true:
OAuth Only
When web_console_oauth_allow_local is false:
The redirect URL must match exactly what's configured in your OAuth provider.
If web_console_oauth_redirect_url is empty, it's automatically generated:
{scheme}://{listen_addr}:{port}{base_path}/oauth/callback
For production with a reverse proxy, you should explicitly set this:
{ "web_console_oauth_redirect_url": "https://admin.example.com/oauth/callback"}