Cross-Site Single Sign-On for Gramps Web

Users on multiple Gramps Web sites currently need separate logins for each instance. The “too many logins and registrations to track” could start to aggravate users as they begin to discover more Gramps Web sites.

Discourse Meta realized the value of cross-site community building by adding themselves as an OIDC (OpenID Connect) provider, enabling users to log into any Discourse forum using their Meta account—encouraging collaboration and pollination between forums.

Gramps Web could extend its existing OIDC support for external logins (Google, GitHub) to let instances act as identity providers in the same way. Users pick one “home” site, log in once via Single Sign-On (SSO), and access others without new accounts. External services like FamilySearch or WikiTree could follow later.

Admins would gain easier cross-site collaboration, tree sharing, and community building between instances—increased engagement without a central hub.

Adding rudimentary Gramps Web sites catalog to GrampsHub could aid discovery of related instances.

You’re touching on a couple of interesting and related points.

First, I don’t think Gramps Web should become an OIDC provider - there already great open source solutions like Authelia and Keycloak which are much more powerful (and also much better tested and thus more secure) than Gramps Web could ever be. So I think that’s out of scope.

But what is definitely true is that we should think about the possibility to give existing Gramps Web user accounts access to other trees. I would call this federation, in the sense that Nextcloud uses it. This is not only relevant across sites - it’s even relevant on single, multi-user sites. For instance, currently, it’s not possible to create two user accounts on Grampshub in two different trees, but using the same e-mail address.

But I think federation is much easier than OIDC because it only requires two Gramps Web instances to talk to each other, so we control both sides of the conversation.