Authentication

Built-in Authentication

The built-in authentication is enabled by default and uses a username/password combination. When you first access autobrr, you'll be prompted to create an account.

OpenID Connect (OIDC)

autobrr supports OIDC authentication for integration with external identity providers like Authentik, Authelia, Pocket-ID, and more.

Configuration

1. Configure your identity provider

1. Set up a new application/client in your identity provider
2. Set the redirect URI to: https://your-autobrr-instance/api/auth/oidc/callback
3. Note down the client ID and client secret

Authentik-specific configuration

When using Authentik, configure the following:

• Use RS256 signing algorithm
• Under Protocol Settings, select an RSA "Signing Key" (e.g., the Authentik self-signed certificate)

For more details on Authentik setup, see:

• Authentik RS256 Configuration
• Authentik Certificate Documentation
• autobrr OIDC Setup Example

2. Enable OIDC in autobrr

Choose one of these configuration methods:

config.toml

oidc_enabled = true
oidc_issuer = "https://your-identity-provider"
oidc_client_id = "your-client-id"
oidc_client_secret = "your-client-secret"
oidc_redirect_url = "https://your-autobrr-instance/api/auth/oidc/callback"

Or using environment variables:

AUTOBRR__OIDC_ENABLED=true
AUTOBRR__OIDC_ISSUER=https://your-identity-provider
AUTOBRR__OIDC_CLIENT_ID=your-client-id
AUTOBRR__OIDC_CLIENT_SECRET=your-client-secret
AUTOBRR__OIDC_REDIRECT_URL=https://your-autobrr-instance/api/auth/oidc/callback

Authentication Methods

When OIDC is enabled:

• If you have an existing user in the database, both OIDC and built-in authentication will be available
• If no user exists in the database, only OIDC authentication will be available

Troubleshooting

During testing, we used Authelia, Authentik, and Pocket-ID with success. Each provider has been verified to work with autobrr's OIDC implementation.

If you encounter issues, please open a GitHub issue or reach out to us on Discord.

Security Best Practices

1. Always run autobrr behind a reverse proxy with TLS enabled
2. Use strong passwords for built-in authentication
3. Enable MFA in your identity provider when using OIDC
4. Regularly update both autobrr and your identity provider

For reverse proxy setup instructions, see:

• Caddy
• Lighttpd
• Nginx
• SWAG
• Traefik
• Tailscale Serve