[GH-ISSUE #5534] [FR] Only offer available authentication methods of a self-hosted instance #2465

New issue

Closed

opened 2026-03-23 21:22:37 +00:00 by mirror · 9 comments

mirror commented 2026-03-23 21:22:37 +00:00

Owner

Copy link

Originally created by @almereyda on GitHub (Jun 13, 2024).
Original GitHub issue: https://github.com/AppFlowy-IO/AppFlowy/issues/5534

Description

When configuring the gotrue container in AppFlowy-Cloud with GitLab authentication enabled, it is not surfaced to the admin interface https://github.com/AppFlowy-IO/AppFlowy-Cloud/issues/621 nor does it become available as a choice in the AppFlowy app.

Impact

Single-sign on is a contemporary means of authentication and many privacy-oriented organisations, esp. in civic society, rely on single-sign on providers that are independent from the large, commercial and proprietary platforms. The forked gotrue service already supports many authentication methods, which could be surfaced to the users.

Meanwhile the app could also autodetect which authentication methods are offered by the targeted AppFlowy-Cloud, which may help to reduce confusion and friction for some users, when trying to use an unconfigured authentication method.

Additional Context

This only applies to self-hosters of AppFlowy Cloud. Ideally the app parses the /gotrue/settings endpoint and adapts the offered login choices. In our example, we don't have Discord nor Google activated, yet their buttons show up in the app (not so in the admin interface).

Originally created by @almereyda on GitHub (Jun 13, 2024). Original GitHub issue: https://github.com/AppFlowy-IO/AppFlowy/issues/5534 ### Description When configuring the `gotrue` container in AppFlowy-Cloud with GitLab authentication enabled, it is not surfaced to the admin interface https://github.com/AppFlowy-IO/AppFlowy-Cloud/issues/621 nor does it become available as a choice in the AppFlowy app.  ### Impact Single-sign on is a contemporary means of authentication and many privacy-oriented organisations, esp. in civic society, rely on single-sign on providers that are independent from the large, commercial and proprietary platforms. The forked gotrue service already supports many authentication methods, which could be surfaced to the users. Meanwhile the app could also autodetect which authentication methods are offered by the targeted AppFlowy-Cloud, which may help to reduce confusion and friction for some users, when trying to use an unconfigured authentication method. ### Additional Context This only applies to self-hosters of AppFlowy Cloud. Ideally the app parses the /gotrue/settings endpoint and adapts the offered login choices. In our example, we don't have Discord nor Google activated, yet their buttons show up in the app (not so in the admin interface).

mirror 2026-03-23 21:22:37 +00:00

• closed this issue
• added the
  self-hosted
  improvements
  new feature
  labels

mirror commented 2026-03-23 21:22:38 +00:00

Author

Owner

Copy link

@almereyda commented on GitHub (Oct 27, 2024):

Our instance now only shows configured OAuth clients (edit) when visiting the admin_frontend at https://appflowy.example.org/web/login

Also involved were https://github.com/AppFlowy-IO/AppFlowy-Cloud/issues/621 and https://github.com/AppFlowy-IO/AppFlowy-Cloud/pull/874

Keeping open until the Flutter App also supports adjusting its available authentication options.

<!-- gh-comment-id:2440042388 --> @almereyda commented on GitHub (Oct 27, 2024): Our instance now only shows configured OAuth clients (*edit*) when visiting the `admin_frontend` at https://appflowy.example.org/web/login Also involved were https://github.com/AppFlowy-IO/AppFlowy-Cloud/issues/621 and https://github.com/AppFlowy-IO/AppFlowy-Cloud/pull/874 *Keeping open* until the Flutter App also supports adjusting its available authentication options.

mirror commented 2026-03-23 21:22:38 +00:00

Author

Owner

Copy link

@almereyda commented on GitHub (Apr 25, 2025):

@khorshuheng @annieappflowy Do you think we can prioritise this?

For many self-hosters it will only be natural to use an IdP that's not one of your preconfigured choices.

While logging in with custom OAuth already worked before with the admin interface (https://github.com/AppFlowy-IO/AppFlowy-Cloud/pull/874), the route https://appflowy.example.org/web/login ceased to exist following the availability of AppFlowy-Web.

Now I'm also not sure where this issue should live:

• It clearly affects the AppFlowy-Web login.
• Recent changes to the login were implemented in AppFlowy-Cloud. (AppFlowy-IO/AppFlowy-Cloud#1041)
• Here we are in the main AppFlowy Flutter app.

Where would the desired changes live, somewhere inbetween all of them?

<!-- gh-comment-id:2830168382 --> @almereyda commented on GitHub (Apr 25, 2025): @khorshuheng @annieappflowy Do you think we can prioritise this? For many self-hosters it will only be natural to use an IdP that's not one of your preconfigured choices. While logging in with custom OAuth already worked before with the admin interface (https://github.com/AppFlowy-IO/AppFlowy-Cloud/pull/874), the route https://appflowy.example.org/web/login ceased to exist following the availability of AppFlowy-Web. Now I'm also not sure where this issue should live: - It clearly affects the AppFlowy-Web login. - Recent changes to the login were implemented in AppFlowy-Cloud. (AppFlowy-IO/AppFlowy-Cloud#1041) - Here we are in the main AppFlowy Flutter app. Where would the desired changes live, somewhere inbetween all of them?

mirror commented 2026-03-23 21:22:38 +00:00

Author

Owner

Copy link

@khorshuheng commented on GitHub (Apr 25, 2025):

The admin panel still exists, it is just moved under /console .

Right now, we can actually use SAML 2.0 to open AppFlowy. For example, after configuring SAML 2.0, we can launch AppFlowy directly from Authentik.

But I think what missing here, is a button like "Single sign on", which should connect to arbitrary identity provider, as long as they support SAML 2.0. Or, a generic OIDC login.

<!-- gh-comment-id:2830189402 --> @khorshuheng commented on GitHub (Apr 25, 2025): The admin panel still exists, it is just moved under /console . Right now, we can actually use SAML 2.0 to open AppFlowy. For example, after configuring SAML 2.0, we can launch AppFlowy directly from Authentik. But I think what missing here, is a button like "Single sign on", which should connect to arbitrary identity provider, as long as they support SAML 2.0. Or, a generic OIDC login.

mirror commented 2026-03-23 21:22:38 +00:00

Author

Owner

Copy link

@khorshuheng commented on GitHub (Apr 25, 2025):

Related issues:

• https://github.com/AppFlowy-IO/AppFlowy/issues/7240 (duplicate of this issue)
• https://github.com/AppFlowy-IO/AppFlowy-Web/issues/105
• https://github.com/AppFlowy-IO/AppFlowy-Cloud/issues/1362

<!-- gh-comment-id:2830383810 --> @khorshuheng commented on GitHub (Apr 25, 2025): Related issues: - https://github.com/AppFlowy-IO/AppFlowy/issues/7240 (duplicate of this issue) - https://github.com/AppFlowy-IO/AppFlowy-Web/issues/105 - https://github.com/AppFlowy-IO/AppFlowy-Cloud/issues/1362

mirror commented 2026-03-23 21:22:38 +00:00

Author

Owner

Copy link

@almereyda commented on GitHub (May 14, 2025):

Thank you for pushing this forward.

I can confirm that the route /console allows to login with the configured gotrue authentication methods, as expected.

If only the console and the Web app would use the same token, then we could already be authenticated towards it via GitLab when switching the route. They remain on the same domain, why cookies could be shared.

In addition, I would suggest to add a tiny commit that extends the Nginx location regexp to also include /console/ as a valid entry point, which currently errors out on file not found 404 without a page body.

Something like console(\/?) might do?

<!-- gh-comment-id:2879636425 --> @almereyda commented on GitHub (May 14, 2025): Thank you for pushing this forward. I can confirm that the route `/console` allows to login with the configured gotrue authentication methods, as expected. If only the console and the Web app would use the same token, then we could already be authenticated towards it via GitLab when switching the route. They remain on the same domain, why cookies could be shared. In addition, I would suggest to add a tiny commit that extends the Nginx location regexp to also include `/console/` as a valid entry point, which currently errors out on file not found 404 without a page body. Something like `console(\/?)` might do?

mirror commented 2026-03-23 21:22:39 +00:00

Author

Owner

Copy link

@maggiv8 commented on GitHub (Aug 19, 2025):

Hi there,

I am also trying to hide these options in the app/web-app (i.e. not-configured/support sign-in options like Google, etc.). It works obviosuly fine for the web admin console. Is this possible somehow and if so how?

Thank you.

<!-- gh-comment-id:3199119142 --> @maggiv8 commented on GitHub (Aug 19, 2025): Hi there, I am also trying to hide these options in the app/web-app (i.e. not-configured/support sign-in options like Google, etc.). It works obviosuly fine for the web admin console. Is this possible somehow and if so how? Thank you.

mirror commented 2026-03-23 21:22:39 +00:00

Author

Owner

Copy link

@almereyda commented on GitHub (Sep 2, 2025):

The issue

• https://github.com/khorshuheng/appflowy-self-host-resources/issues/8

provides more context.

The helm chat (and the official docker compose) currently lack some of the gotrue env variables required to setup SAML 2.0. Although, we do have reports from users saying that they have succeeded in using Authentik/Okta to login to AppFlowy.

Meanwhile we're patiently standing by for more work on documentation of more

• https://github.com/AppFlowy-IO/AppFlowy-Web/issues/19
• https://github.com/AppFlowy-IO/AppFlowy-Cloud/issues/1362

details. I could offer to open a tracking issue on https://github.com/AppFlowy-IO/AppFlowy-Docs for that.

---

It is to note, as said, that as a workaround we can use the /console route https://github.com/AppFlowy-IO/AppFlowy-Cloud/issues/621 https://github.com/AppFlowy-IO/AppFlowy-Cloud/pull/874. It currently allows to login to the AppFlowy-Cloud admin_frontend via a web browser and then to trigger a login intent for a local AppFlowy app (tested on Linux and Android). It still does not allow to authenticate for AppFlowy-Web on / / /web.

The tracking issue in AppFlowy-IO/AppFlowy-Web is

• https://github.com/AppFlowy-IO/AppFlowy-Web/issues/105

---

To close, citing from https://github.com/AppFlowy-IO/AppFlowy-Web/issues/105#issuecomment-3319199033:

Eventually we will want to distinguish here between:

1. hiding unconfigured authentication providers and
2. also showing additional authentication providers.

<!-- gh-comment-id:3246531217 --> @almereyda commented on GitHub (Sep 2, 2025): The issue - https://github.com/khorshuheng/appflowy-self-host-resources/issues/8 provides more context. > The helm chat (and the official docker compose) currently lack some of the gotrue env variables required to setup SAML 2.0. Although, we do have reports from users saying that they have succeeded in using Authentik/Okta to login to AppFlowy. Meanwhile we're patiently standing by for more work on documentation of more - https://github.com/AppFlowy-IO/AppFlowy-Web/issues/19 - https://github.com/AppFlowy-IO/AppFlowy-Cloud/issues/1362 details. I could offer to open a tracking issue on https://github.com/AppFlowy-IO/AppFlowy-Docs for that. --- It is to note, as said, that as a workaround we can use the `/console` route https://github.com/AppFlowy-IO/AppFlowy-Cloud/issues/621 https://github.com/AppFlowy-IO/AppFlowy-Cloud/pull/874. It currently allows to login to the AppFlowy-Cloud `admin_frontend` via a web browser and then to trigger a login intent for a local AppFlowy app (tested on Linux and Android). It still does not allow to authenticate for AppFlowy-Web on `/` / `/web`. The tracking issue in AppFlowy-IO/AppFlowy-Web is - https://github.com/AppFlowy-IO/AppFlowy-Web/issues/105 --- To close, citing from https://github.com/AppFlowy-IO/AppFlowy-Web/issues/105#issuecomment-3319199033: > Eventually we will want to distinguish here between: > > 1. hiding unconfigured authentication providers and > 2. also showing additional authentication providers.

mirror commented 2026-03-23 21:22:39 +00:00

Author

Owner

Copy link

@almereyda commented on GitHub (Sep 22, 2025):

I am also trying to hide these options in the [app/]web-app

@maggiv8 The latest Web release supports your use case since https://github.com/AppFlowy-IO/AppFlowy-Web/issues/105#issuecomment-3319240837 https://github.com/AppFlowy-IO/AppFlowy-Web/issues/139#issuecomment-3319284627

I've also written an accompanying follow up with:

• https://github.com/AppFlowy-IO/AppFlowy-Web/issues/141

<!-- gh-comment-id:3319704954 --> @almereyda commented on GitHub (Sep 22, 2025): > I am also trying to hide these options in the [app/]web-app @maggiv8 The latest Web release supports your use case since https://github.com/AppFlowy-IO/AppFlowy-Web/issues/105#issuecomment-3319240837 https://github.com/AppFlowy-IO/AppFlowy-Web/issues/139#issuecomment-3319284627 I've also written an accompanying follow up with: - https://github.com/AppFlowy-IO/AppFlowy-Web/issues/141

mirror commented 2026-03-23 21:22:39 +00:00

Author

Owner

Copy link

@almereyda commented on GitHub (Oct 8, 2025):

#7240 also documents a case, where a user would like to hide the email login method, which was disabled in Gotrue/Supabase Auth.

<!-- gh-comment-id:3381367883 --> @almereyda commented on GitHub (Oct 8, 2025): #7240 also documents a case, where a user would like to hide the email login method, which was disabled in Gotrue/Supabase Auth.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

copilot/fix-date-format-issue

feat/mention_a_person

merge_upstream_v6

mobile/release/0.9.3

release/0.9.3

release/0.9.2

select_source

release/0.9.1

refactor_import_data

release/0.8.9.1

release/0.8.9

anon_user_mode

release/0.8.8

fix_windows_selection

release/0.8.7

annieappflowy-patch-1

windows_local_ai

release/0.8.6

release/0.8.5

release/0.8.4

chore/optional-response-format

release/0.8.3

release/0.8.2

release/0.8.1

release/0.8.0

release/0.7.9

feat/support-rename-workspace

chat_rag_only

calculate_ui_test

release/0.7.8

release/0.7.7

stringfi_cells

hotfix/0.7.5

release/0.7.4

client-api-update

feat/collab-editing

fix_calculation_bug

feat/upload-file-in-document

update-client-api

feat/support-global-comment-on-web

update-client-api-2

feat/support-duplicate-publish-on-web

feat/ai-plan-billing

chore/test-web-deploy

chore/enable-billing-for-testing

build/test

ai_tag_feature

chore/enable-billing-plan

feat/billing-client-windows

chore/support-openai-chat

fix/try-no-media-kit

sign-in-error-format

workspace-invite-ci-test

last-workspace

workspace-invite-wip

feat/date-text-input

appflowy_v1

0.11.1

0.11.0

0.10.9

0.11.2

0.10.7

0.10.6

0.10.5

0.11.3

0.11.4

0.10.8

0.10.4

0.10.3

0.10.2

0.10.0

0.10.1

0.9.9

0.9.8

0.9.7

0.9.5

0.9.6

0.9.4

0.9.3

0.9.2

0.9.1

0.9.0

0.8.9

0.8.8

0.8.7

0.8.6

0.8.5

0.8.4

0.8.3

0.8.2

0.8.1

0.8.0

0.7.9

0.7.8

0.7.7

0.7.6

0.7.5

0.7.4

0.7.3

0.7.2

0.7.1

0.7.0

0.6.9

0.6.8

0.6.7.2

0.6.7.1

0.6.7

0.6.6

0.6.5

0.6.4

0.6.3

0.6.2

0.6.1

v0.6.1

0.6.0

0.5.9

0.5.8

0.5.7

0.5.6

0.5.5

0.5.4

0.5.3

0.5.2

0.5.1

0.5.0

0.4.9

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.9.1

0.3.9

0.3.8

0.3.7

0.3.6

0.3.5

0.3.4

0.3.3

0.3.2

0.3.1

0.3.0

0.2.9

0.2.8

0.2.7

0.2.6

0.2.5

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.9.1

0.0.9

0.0.8.1

0.0.8

0.0.7.1

0.0.7

0.0.6.2

0.0.6.1

0.0.6

0.0.6_beta.1

0.0.5.3

0.0.5.2

0.0.5.1

0.0.5

0.0.5_beta.2

0.0.5_beta.1

0.0.4

0.0.4_beta.3

0.0.4_beta.2

0.0.4_beta.1

0.0.3

0.0.3_beta.2

0.0.3_beta.1

0.0.2

0.0.1

Labels

Clear labels   

2024

  

2025

  

2026

  

acct mgmt

  

AI

  

automation

  

bug

  

calendar

  

ci

  

CJK

  

cloud

  

code-block

  

collaboration

  

copy-paste

  

database

  

data migration

  

data sync

  

deploy

  

desktop

  

develop

  

develop

  

documentation

  

duplicate

  

editor

  

editor-plugin

  

emoji

  

export

  

files

  

flutter-only

  

follow-up

  

formula

  

good first issue for devs

  

good first issue for experienced devs

  

grid

  

hacktoberfest

  

HACKTOBERFEST-ACCEPTED

  

help wanted

  

i18n

  

icons

  

images

  

importer

  

improvements

  

infra

  

install

  

integrations

  

IR

  

kanban board

  

login

  

look and joy

  

mentorship

  

mobile

  

mobile

  

needs design

  

new feature

  

new feature

  

non-coding

  

notes

  

notifications

  

onboarding

  

organization

  

P0+

  

permission

  

platform-linux

  

platform-mac

  

platform-windows

  

plugins

  

program

  

pull-request

Mirrored from GitHub Pull Request

  

Q1 25

  

Q1 26

  

Q2 24

  

Q2 25

  

Q3 24

  

Q3 25

  

Q4 24

  

Q4 25

  

react

  

regression

  

rust

  

rust

  

Rust-only

  

Rust-only

  

Rust-starter

  

Rust-starter

  

self-hosted

  

shortcuts

  

side panel

  

slash-menu

  

sync v2

  

table

  

tablet

  

task

  

tauri

  

templates

  

tests

  

themes

  

translation

  

v0.5.6

  

v0.5.8

  

v0.5.9

  

v0.6.0

  

v0.6.1

  

v0.6.4

  

v0.6.7

  

v0.6.8

  

v0.7.1

  

v0.7.4

  

v0.7.4

  

v0.7.5

  

v0.7.6

  

v0.7.7

  

v0.7.8

  

v0.8.0

  

v0.8.4

  

v0.8.5

  

v0.8.9

  

web

No labels

2024

2025

2026

acct mgmt

AI

automation

bug

calendar

ci

CJK

cloud

code-block

collaboration

copy-paste

database

data migration

data sync

deploy

desktop

develop

develop

documentation

duplicate

editor

editor-plugin

emoji

export

files

flutter-only

follow-up

formula

good first issue for devs

good first issue for experienced devs

grid

hacktoberfest

HACKTOBERFEST-ACCEPTED

help wanted

i18n

icons

images

importer

improvements

infra

install

integrations

IR

kanban board

login

look and joy

mentorship

mobile

mobile

needs design

new feature

new feature

non-coding

notes

notifications

onboarding

organization

P0+

permission

platform-linux

platform-mac

platform-windows

plugins

program

pull-request

Q1 25

Q1 26

Q2 24

Q2 25

Q3 24

Q3 25

Q4 24

Q4 25

react

regression

rust

rust

Rust-only

Rust-only

Rust-starter

Rust-starter

self-hosted

shortcuts

side panel

slash-menu

sync v2

table

tablet

task

tauri

templates

tests

themes

translation

v0.5.6

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.4

v0.6.7

v0.6.8

v0.7.1

v0.7.4

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.8.0

v0.8.4

v0.8.5

v0.8.9

web

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

AppFlowy-IO/AppFlowy#2465

No description provided.