feat(auth): enable OIDC SSO for self-hosted instances
Created by: jedmund
Summary
- Unlocks the existing
better-authSSO flow for self-hosted Dokploy via a new env varDOKPLOY_ENABLE_SELF_HOSTED_SSO=true— no license required. - Adds
DOKPLOY_SSO_PRIMARY=trueto make SSO the default sign-in (password form hidden behind an escape-hatch link). - All OIDC/SAML scaffolding (schema, registration UI, sign-in flow, callbacks) was already in place — this just bypasses the license gates on the three SSO surfaces (
showSignInWithSSO, thessoRouterendpoints, and the SSO settings page). Other enterprise features (audit logs, whitelabeling, custom roles) remain license-gated.
Why
Dokploy's free self-hosted edition already ships a complete OIDC implementation via @better-auth/sso, but it's hidden behind an enterprise license check. This change lets a home/self-hosted operator with an OIDC provider (e.g. PocketID, Authentik, Keycloak) point Dokploy at it without buying a license.
PocketID setup
- Set
DOKPLOY_ENABLE_SELF_HOSTED_SSO=true(and optionallyDOKPLOY_SSO_PRIMARY=true) on the Dokploy instance. - In PocketID, create an OIDC client with callback URL
https://<your-dokploy>/api/auth/sso/callback/<providerId>. - In Dokploy: Settings → SSO → Register OIDC provider — paste issuer (PocketID base URL), client ID, client secret, scopes
openid email profile, and the email domains you want auto-routed.
Test plan
-
Regression (no flag): with both env vars unset, /dashboard/settings/ssostill shows the "Enterprise SSO" lock card and the login page does not show a "Sign in with SSO" button. -
Self-hosted unlock: with DOKPLOY_ENABLE_SELF_HOSTED_SSO=true, the SSO settings page renders directly, register-OIDC dialog works, and the login page shows the SSO button. -
OIDC flow (PocketID): register a provider → log out → enter an email in the configured domain → land on PocketID → redirected back to /dashboard/homewith a session. -
Primary mode: with both flags on, login page opens with the SSO email form expanded and the password form hidden; "Use email and password instead" link reveals the password form. -
Cloud unchanged: with IS_CLOUD=trueand the new flags unset, sign-in shows GitHub/Google/email + SSO as before.