Is your feature request related to a problem? Please describe.
Yes. When using OIDC login, nginx-ui performs an additional local user validation after the OIDC provider has already authenticated the user.
Even if the OIDC IdP (e.g., Dex, Authentik, Keycloak) has already verified the user and allowed the login, nginx-ui still requires the username to exist in the local SQLite database (users table).
If the username is not found locally, nginx-ui rejects the login.
This breaks the standard OIDC authorization flow and forces administrators to maintain a duplicated local user list, which is impractical in environments using LDAP-backed OIDC, SSO, or automated provisioning.
Describe the solution you'd like
I would like nginx-ui to support two possible behaviors, configurable by the administrator:
1. Skip local user check (OIDC-only authorization mode)
[oidc]
LocalUserCheck = false
- If OIDC login succeeds → allow login
- Do not require the user to exist in the SQLite database
2. Auto-create local users on first OIDC login
[oidc]
AutoCreateUser = true
- If OIDC login succeeds but the user does not exist locally → automatically create a local user entry
- Username should come from the OIDC claim (preferred_username, email, or configurable)
- (Optional) assign default role or map roles from OIDC claims
Describe alternatives you've considered
Manually creating users in SQLite
Not scalable and defeats the purpose of centralized identity management.
Maintaining a fork and patching the source code
Possible but not ideal, as it complicates updates.
Additional context
My environment uses an OIDC provider backed by LDAP.
The IdP already enforces authentication, MFA, and authorization policies.
Requiring nginx-ui to maintain a separate local user list in SQLite introduces unnecessary administrative overhead and breaks the expected SSO workflow.
Supporting “skip local user check” and/or “auto-create user on first login” would align nginx-ui with modern identity management practices and significantly improve usability in enterprise or homelab SSO setups.
Is your feature request related to a problem? Please describe.
Yes. When using OIDC login, nginx-ui performs an additional local user validation after the OIDC provider has already authenticated the user.
Even if the OIDC IdP (e.g., Dex, Authentik, Keycloak) has already verified the user and allowed the login, nginx-ui still requires the username to exist in the local SQLite database (
userstable).If the username is not found locally, nginx-ui rejects the login.
This breaks the standard OIDC authorization flow and forces administrators to maintain a duplicated local user list, which is impractical in environments using LDAP-backed OIDC, SSO, or automated provisioning.
Describe the solution you'd like
I would like nginx-ui to support two possible behaviors, configurable by the administrator:
1. Skip local user check (OIDC-only authorization mode)
2. Auto-create local users on first OIDC login
Describe alternatives you've considered
Manually creating users in SQLite
Not scalable and defeats the purpose of centralized identity management.
Maintaining a fork and patching the source code
Possible but not ideal, as it complicates updates.
Additional context
My environment uses an OIDC provider backed by LDAP.
The IdP already enforces authentication, MFA, and authorization policies.
Requiring nginx-ui to maintain a separate local user list in SQLite introduces unnecessary administrative overhead and breaks the expected SSO workflow.
Supporting “skip local user check” and/or “auto-create user on first login” would align nginx-ui with modern identity management practices and significantly improve usability in enterprise or homelab SSO setups.