What problem does this solve?
Routerly's dashboard currently uses its own username/password system backed by users.json. Enterprise teams already have identity providers (Google Workspace, Azure AD, Okta, corporate LDAP) and do not want to maintain a separate set of credentials for each internal tool.
Proposed solution
Add pluggable external authentication providers for the dashboard login flow:
OAuth2 / OIDC
- Google, GitHub, Microsoft (Azure AD/Entra), Okta, generic OIDC
- Configurable via
settings.json: client ID, secret, scopes, callback URL
- On successful OAuth callback: create or update the local user record, assign role based on configurable mapping (e.g. group claim → role)
LDAP / Active Directory
- Bind with service account, search for user by
uid/sAMAccountName
- Map LDAP groups to Routerly roles
SAML 2.0
- SP-initiated flow for enterprise SSO (Okta, Azure AD, PingFederate)
Configuration example in settings.json:
{
"auth": {
"providers": [
{ "type": "oidc", "issuer": "https://accounts.google.com", "clientId": "...", "clientSecret": "..." },
{ "type": "ldap", "url": "ldap://corp.example.com", "baseDn": "dc=example,dc=com" }
]
}
}
Local username/password remains available as a fallback.
Alternatives you've considered
Putting Routerly behind a reverse proxy with auth (nginx + oauth2-proxy, Authentik, Authelia). Works but adds infrastructure complexity and breaks the self-contained self-hosted model.
Who would benefit from this?
Enterprise and team deployments where IT requires SSO for all internal tools. Eliminates onboarding friction and centralises access control.
Additional context
The management API already uses JWT sessions (plugins/jwt.ts). OAuth2/LDAP would replace only the credential-verification step, keeping the session layer unchanged.
What problem does this solve?
Routerly's dashboard currently uses its own username/password system backed by
users.json. Enterprise teams already have identity providers (Google Workspace, Azure AD, Okta, corporate LDAP) and do not want to maintain a separate set of credentials for each internal tool.Proposed solution
Add pluggable external authentication providers for the dashboard login flow:
OAuth2 / OIDC
settings.json: client ID, secret, scopes, callback URLLDAP / Active Directory
uid/sAMAccountNameSAML 2.0
Configuration example in
settings.json:{ "auth": { "providers": [ { "type": "oidc", "issuer": "https://accounts.google.com", "clientId": "...", "clientSecret": "..." }, { "type": "ldap", "url": "ldap://corp.example.com", "baseDn": "dc=example,dc=com" } ] } }Local username/password remains available as a fallback.
Alternatives you've considered
Putting Routerly behind a reverse proxy with auth (nginx + oauth2-proxy, Authentik, Authelia). Works but adds infrastructure complexity and breaks the self-contained self-hosted model.
Who would benefit from this?
Enterprise and team deployments where IT requires SSO for all internal tools. Eliminates onboarding friction and centralises access control.
Additional context
The management API already uses JWT sessions (
plugins/jwt.ts). OAuth2/LDAP would replace only the credential-verification step, keeping the session layer unchanged.