Hello,
I’d really like to setup a self hosted grist instance on my home server that I share with a few friends (5-10 user max ever). I need authentification and user management (some users are going to have differents rigths, etc.
I have already an instance of nextcloud running and I found that it could serve as a OIDC provider which would be kind of ideal to me. I tried to setup but keep running into bad gateway 502 issues.
I use caddy as reverse proxy. It seems I cannot get caddy to talk to grist docker container properly and connect to my OIDC provider in nextcloud.
After trying different configuration, I decided I can live with standard authentification such as google and tried the grist-omnibus container. However I couldn’t get this to work either.
When starting the container, I see this warning:
grist | 2026-01-09 08:11:58.386 - warn: Failed to create GoogleAuth endpoint: GOOGLE_CLIENT_SECRET is not defined
Is there a way to simply setup google authentification ?
Any pointer would be appreciated. Thank !
I’ve used https://goauthentik.io/ in combination with grist and active directory.
And with goauthentik you might choose any modern authentication backends.
When i actively used it, there was a little bug in authentik than consumed much cpu. This might be resolved now.
Edit: For a larger installation this was good, but it would be awesome if
grist would have a minimal authentication system build in.
However, i can understand that this is not on the priority list 
so the community might build it.
Can you establish a connection to the backend? I would check this via curl or so.
Edit: And while you check, tail -f /the/logfile or journalctl -f to see any errors popping up
Idk about GoogleAuth but have you set the GOOGLE_CLIENT_SECRET as the error message suggested?
Edit again:
And of course, open the port in docker, check with sudo ss -tlnp if the port is open and listens on the correct ip, then curl to the backend, then doublecheck your urls etc pp.
Thanks for your reply ! I read about authentik but it seems a bit overkill for my use case, and likely a whole new bag of problems if I dig into it. From what I understand, I have everything in place (i.e. OIDC provider can be either my nextcloud or google). But I struggle with the plumbery, i.e. communication between my host server, my reverse proxy caddy, the grist container, etc, because I’m not good yet at servers and network stuff.
Hello,
I have been able to get it working for what I wanted to do. I realized that caddy could do simple authentification through the browser and forward the username to grist.
This is actually what is done with the Traefik example, but caddy is so much more straightforward and intuitive. For instance, in my CaddyFile I just had to write:
grist.mydomain.com {
basic_auth {
admin@mydomain.com tNLXbSUm25aPiukMVwWY7WZzVhNYC #hash password
myfriend1@email.com (...)
myfriend2@email.com (...)
(...)
}
reverse_proxy localhost:8484 {
header_up X-Forwarded-User {http.auth.user.id}
}
}
And then on the Grist container, I just set the env variable: GRIST_FORWARD_AUTH_HEADER: X-Forwarded-User. And that’s it.
Only issue is that I have to manually add user/passwd, i.e., I don’t have a sign up process but for my use case working with friends, it is acceptable.