also: https://wiki.roundup-tracker.org/OauthAuthentication

I think there are two main ways: * simple but possibly insecure; * replace login form in roadmap with login button redirecting to SSO * add hook on SSO register to add user to roadmap and dummy password generated/stored in vault * pass user:specificPassword in authorization header to roadmap * difficult: * integrate OIDC into login procedure in roadmap (cf. wiki link)

maybe it can be done in steps: first the simple step, then pass token to roadmap and check OIDC claims in login procedure (still needs users created in hook from SSO, with no password this time and safeguard not to check local password)