docs/docs/documentation/getting-started/authentication/oidc.md

# OpenID Connect (OIDC) Authentication

Mealie supports 3rd party authentication via [OpenID Connect (OIDC)](https://openid.net/connect/), an identity layer built on top of OAuth2. OIDC is supported by many identity providers, including:

- [Authentik](https://goauthentik.io/integrations/sources/oauth/#openid-connect)
- [Authelia](https://www.authelia.com/configuration/identity-providers/open-id-connect/)
- [Keycloak](https://www.keycloak.org/docs/latest/securing_apps/#_oidc)
- [Okta](https://www.okta.com/openid-connect/)

## Account Linking

Signing in with OAuth will automatically find your account in Mealie and link to it. If a user does not exist in Mealie, then one will be created (if enabled), but will be unable to log in with any other authentication method. An admin can configure another authentication method for such a user.

## Provider Setup

Before you can start using OIDC Authentication, you must first configure a new client application in your identity provider. Your identity provider must support the OAuth **Authorization Code flow with PKCE**. The steps will vary by provider, but generally, the steps are as follows.

1. Create a new client application
    - The Provider type should be OIDC or OAuth2
    - The Grant type should be `Authorization Code`
    - The Application type should be `Web`
    - The Client type should be `public`

2. Configure redirect URI

    The only redirect URI that is needed is `http(s)://DOMAIN:PORT/login`

    The redirect URI should include any URL that Mealie is accessible from. Some examples include

        http://localhost:9091/login
        https://mealie.example.com/login

3. Configure origins

    If your identity provider enforces CORS on any endpoints, you will need to specify your Mealie URL as an Allowed Origin.

4. Configure allowed scopes

    The scopes required are `openid profile email groups`

## Mealie Setup

Take the client id and your discovery URL and update your environment variables to include the required OIDC variables described in [Installation - Backend Configuration](../installation/backend-config.md#openid-connect-oidc).

## Examples

### Authelia

Follow the instructions in [Authelia's documentation](https://www.authelia.com/configuration/identity-providers/open-id-connect/). Below is an example config.

!!! warning

    This is only an example and not meant to be an exhaustive configuration. You should read through the documentation and adjust your configuration as needed.

=== "v4.37"

    This configuration format has been deprecated in Authelia v4.38. It is still valid, however it will eventually be removed.

    ```yaml
    identity_providers:
        oidc:
            access_token_lifespan: 1h
            authorize_code_lifespan: 1m
            id_token_lifespan: 1h
            refresh_token_lifespan: 90m
            enable_client_debug_messages: false
            enforce_pkce: public_clients_only
            cors:
                endpoints:
                    - authorization
                    - token
                    - revocation
                    - introspection
            allowed_origins:
                - https://mealie.example.com
            clients:
                - id: mealie
                description: Mealie
                authorization_policy: one_factor
                redirect_uris:
                    - https://mealie.example.com/login
                public: true
                grant_types:
                    - authorization_code
                scopes:
                    - openid
                    - profile
                    - groups
                    - email
    ```

=== "v4.38"

    The configuration in Authelia v4.38 has changed. Although the old configuration will still work, it is deprecated and will eventually be removed.

    ```yaml
    identity_providers:
        oidc:
            jwks:
                - key: {{ secret "/secrets/private_key_file" | mindent 10 "|" | msquote }}
            enforce_pkce: public_clients_only
            cors:
            endpoints:
                - userinfo
                - authorization
                - token
                - revocation
                - introspection
            allowed_origins:
                - https://mealie.example.com
            allowed_origins_from_client_redirect_uris: false
            clients:
                - client_id: mealie
                client_name: Mealie
                authorization_policy: one_factor
                redirect_uris:
                    - https://mealie.example.com/login
                public: true
                pkce_challenge_method: S256
                grant_types:
                    - authorization_code
                scopes:
                    - openid
                    - profile
                    - groups
                    - email
    ```
feat: Login with OAuth via OpenID Connect (OIDC) (#3280) * initial oidc implementation * add dynamic scheme * e2e test setup * add caching * fix * try this * add libldap-2.5 to runtime dependencies (#2849) * New translations en-us.json (Norwegian) (#2851) * New Crowdin updates (#2855) * New translations en-us.json (Italian) * New translations en-us.json (Norwegian) * New translations en-us.json (Portuguese) * fix * remove cache * cache yarn deps * cache docker image * cleanup action * lint * fix tests * remove not needed variables * run code gen * fix tests * add docs * move code into custom scheme * remove unneeded type * fix oidc admin * add more tests * add better spacing on login page * create auth providers * clean up testing stuff * type fixes * add OIDC auth method to postgres enum * add option to bypass login screen and go directly to iDP * remove check so we can fallback to another auth method oauth fails * Add provider name to be shown at the login screen * add new properties to admin about api * fix spec * add a prompt to change auth method when changing password * Create new auth section. Add more info on auth methods * update docs * run ruff * update docs * format * docs gen * formatting * initialize logger in class * mypy type fixes * docs gen * add models to get proper fields in docs and fix serialization * validate id token before using it * only request a mealie token on initial callback * remove unused method * fix unit tests * docs gen * check for valid idToken before getting token * add iss to mealie token * check to see if we already have a mealie token before getting one * fix lock file * update authlib * update lock file * add remember me environment variable * add user group setting to allow only certain groups to log in --------- Co-authored-by: Carter Mintey <cmintey8@gmail.com> Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com> 2024-03-10 13:51:36 -05:00			`# OpenID Connect (OIDC) Authentication`

			`Mealie supports 3rd party authentication via [OpenID Connect (OIDC)](https://openid.net/connect/), an identity layer built on top of OAuth2. OIDC is supported by many identity providers, including:`

			`- [Authentik](https://goauthentik.io/integrations/sources/oauth/#openid-connect)`
			`- [Authelia](https://www.authelia.com/configuration/identity-providers/open-id-connect/)`
			`- [Keycloak](https://www.keycloak.org/docs/latest/securing_apps/#_oidc)`
			`- [Okta](https://www.okta.com/openid-connect/)`

			`## Account Linking`

			`Signing in with OAuth will automatically find your account in Mealie and link to it. If a user does not exist in Mealie, then one will be created (if enabled), but will be unable to log in with any other authentication method. An admin can configure another authentication method for such a user.`

			`## Provider Setup`

clarify docs 2024-03-16 01:41:38 +00:00			`Before you can start using OIDC Authentication, you must first configure a new client application in your identity provider. Your identity provider must support the OAuth Authorization Code flow with PKCE. The steps will vary by provider, but generally, the steps are as follows.`
feat: Login with OAuth via OpenID Connect (OIDC) (#3280) * initial oidc implementation * add dynamic scheme * e2e test setup * add caching * fix * try this * add libldap-2.5 to runtime dependencies (#2849) * New translations en-us.json (Norwegian) (#2851) * New Crowdin updates (#2855) * New translations en-us.json (Italian) * New translations en-us.json (Norwegian) * New translations en-us.json (Portuguese) * fix * remove cache * cache yarn deps * cache docker image * cleanup action * lint * fix tests * remove not needed variables * run code gen * fix tests * add docs * move code into custom scheme * remove unneeded type * fix oidc admin * add more tests * add better spacing on login page * create auth providers * clean up testing stuff * type fixes * add OIDC auth method to postgres enum * add option to bypass login screen and go directly to iDP * remove check so we can fallback to another auth method oauth fails * Add provider name to be shown at the login screen * add new properties to admin about api * fix spec * add a prompt to change auth method when changing password * Create new auth section. Add more info on auth methods * update docs * run ruff * update docs * format * docs gen * formatting * initialize logger in class * mypy type fixes * docs gen * add models to get proper fields in docs and fix serialization * validate id token before using it * only request a mealie token on initial callback * remove unused method * fix unit tests * docs gen * check for valid idToken before getting token * add iss to mealie token * check to see if we already have a mealie token before getting one * fix lock file * update authlib * update lock file * add remember me environment variable * add user group setting to allow only certain groups to log in --------- Co-authored-by: Carter Mintey <cmintey8@gmail.com> Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com> 2024-03-10 13:51:36 -05:00
			`1. Create a new client application`
			`- The Provider type should be OIDC or OAuth2`
			- The Grant type should be `Authorization Code`
			- The Application type should be `Web`
			- The Client type should be `public`

			`2. Configure redirect URI`

			The only redirect URI that is needed is `http(s)://DOMAIN:PORT/login`

			`The redirect URI should include any URL that Mealie is accessible from. Some examples include`

			`http://localhost:9091/login`
			`https://mealie.example.com/login`

			`3. Configure origins`

			`If your identity provider enforces CORS on any endpoints, you will need to specify your Mealie URL as an Allowed Origin.`

			`4. Configure allowed scopes`

			The scopes required are `openid profile email groups`

			`## Mealie Setup`

Fix typos (#3285) 2024-03-11 20:08:32 +11:00			`Take the client id and your discovery URL and update your environment variables to include the required OIDC variables described in [Installation - Backend Configuration](../installation/backend-config.md#openid-connect-oidc).`
feat: Login with OAuth via OpenID Connect (OIDC) (#3280) * initial oidc implementation * add dynamic scheme * e2e test setup * add caching * fix * try this * add libldap-2.5 to runtime dependencies (#2849) * New translations en-us.json (Norwegian) (#2851) * New Crowdin updates (#2855) * New translations en-us.json (Italian) * New translations en-us.json (Norwegian) * New translations en-us.json (Portuguese) * fix * remove cache * cache yarn deps * cache docker image * cleanup action * lint * fix tests * remove not needed variables * run code gen * fix tests * add docs * move code into custom scheme * remove unneeded type * fix oidc admin * add more tests * add better spacing on login page * create auth providers * clean up testing stuff * type fixes * add OIDC auth method to postgres enum * add option to bypass login screen and go directly to iDP * remove check so we can fallback to another auth method oauth fails * Add provider name to be shown at the login screen * add new properties to admin about api * fix spec * add a prompt to change auth method when changing password * Create new auth section. Add more info on auth methods * update docs * run ruff * update docs * format * docs gen * formatting * initialize logger in class * mypy type fixes * docs gen * add models to get proper fields in docs and fix serialization * validate id token before using it * only request a mealie token on initial callback * remove unused method * fix unit tests * docs gen * check for valid idToken before getting token * add iss to mealie token * check to see if we already have a mealie token before getting one * fix lock file * update authlib * update lock file * add remember me environment variable * add user group setting to allow only certain groups to log in --------- Co-authored-by: Carter Mintey <cmintey8@gmail.com> Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com> 2024-03-10 13:51:36 -05:00
			`## Examples`

			`### Authelia`

Fix typos (#3285) 2024-03-11 20:08:32 +11:00			`Follow the instructions in [Authelia's documentation](https://www.authelia.com/configuration/identity-providers/open-id-connect/). Below is an example config.`
feat: Login with OAuth via OpenID Connect (OIDC) (#3280) * initial oidc implementation * add dynamic scheme * e2e test setup * add caching * fix * try this * add libldap-2.5 to runtime dependencies (#2849) * New translations en-us.json (Norwegian) (#2851) * New Crowdin updates (#2855) * New translations en-us.json (Italian) * New translations en-us.json (Norwegian) * New translations en-us.json (Portuguese) * fix * remove cache * cache yarn deps * cache docker image * cleanup action * lint * fix tests * remove not needed variables * run code gen * fix tests * add docs * move code into custom scheme * remove unneeded type * fix oidc admin * add more tests * add better spacing on login page * create auth providers * clean up testing stuff * type fixes * add OIDC auth method to postgres enum * add option to bypass login screen and go directly to iDP * remove check so we can fallback to another auth method oauth fails * Add provider name to be shown at the login screen * add new properties to admin about api * fix spec * add a prompt to change auth method when changing password * Create new auth section. Add more info on auth methods * update docs * run ruff * update docs * format * docs gen * formatting * initialize logger in class * mypy type fixes * docs gen * add models to get proper fields in docs and fix serialization * validate id token before using it * only request a mealie token on initial callback * remove unused method * fix unit tests * docs gen * check for valid idToken before getting token * add iss to mealie token * check to see if we already have a mealie token before getting one * fix lock file * update authlib * update lock file * add remember me environment variable * add user group setting to allow only certain groups to log in --------- Co-authored-by: Carter Mintey <cmintey8@gmail.com> Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com> 2024-03-10 13:51:36 -05:00
			`!!! warning`

Fix typos (#3285) 2024-03-11 20:08:32 +11:00			`This is only an example and not meant to be an exhaustive configuration. You should read through the documentation and adjust your configuration as needed.`
feat: Login with OAuth via OpenID Connect (OIDC) (#3280) * initial oidc implementation * add dynamic scheme * e2e test setup * add caching * fix * try this * add libldap-2.5 to runtime dependencies (#2849) * New translations en-us.json (Norwegian) (#2851) * New Crowdin updates (#2855) * New translations en-us.json (Italian) * New translations en-us.json (Norwegian) * New translations en-us.json (Portuguese) * fix * remove cache * cache yarn deps * cache docker image * cleanup action * lint * fix tests * remove not needed variables * run code gen * fix tests * add docs * move code into custom scheme * remove unneeded type * fix oidc admin * add more tests * add better spacing on login page * create auth providers * clean up testing stuff * type fixes * add OIDC auth method to postgres enum * add option to bypass login screen and go directly to iDP * remove check so we can fallback to another auth method oauth fails * Add provider name to be shown at the login screen * add new properties to admin about api * fix spec * add a prompt to change auth method when changing password * Create new auth section. Add more info on auth methods * update docs * run ruff * update docs * format * docs gen * formatting * initialize logger in class * mypy type fixes * docs gen * add models to get proper fields in docs and fix serialization * validate id token before using it * only request a mealie token on initial callback * remove unused method * fix unit tests * docs gen * check for valid idToken before getting token * add iss to mealie token * check to see if we already have a mealie token before getting one * fix lock file * update authlib * update lock file * add remember me environment variable * add user group setting to allow only certain groups to log in --------- Co-authored-by: Carter Mintey <cmintey8@gmail.com> Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com> 2024-03-10 13:51:36 -05:00
update authelia example config 2024-03-16 01:37:55 +00:00			`=== "v4.37"`

			`This configuration format has been deprecated in Authelia v4.38. It is still valid, however it will eventually be removed.`

			```yaml
			`identity_providers:`
			`oidc:`
			`access_token_lifespan: 1h`
			`authorize_code_lifespan: 1m`
			`id_token_lifespan: 1h`
			`refresh_token_lifespan: 90m`
			`enable_client_debug_messages: false`
			`enforce_pkce: public_clients_only`
			`cors:`
			`endpoints:`
			`- authorization`
			`- token`
			`- revocation`
			`- introspection`
			`allowed_origins:`
			`- https://mealie.example.com`
			`clients:`
			`- id: mealie`
			`description: Mealie`
			`authorization_policy: one_factor`
			`redirect_uris:`
			`- https://mealie.example.com/login`
			`public: true`
			`grant_types:`
			`- authorization_code`
			`scopes:`
			`- openid`
			`- profile`
			`- groups`
			`- email`
			```

			`=== "v4.38"`

			`The configuration in Authelia v4.38 has changed. Although the old configuration will still work, it is deprecated and will eventually be removed.`

			```yaml
			`identity_providers:`
			`oidc:`
			`jwks:`
			`- key: {{ secret "/secrets/private_key_file" \| mindent 10 "\|" \| msquote }}`
			`enforce_pkce: public_clients_only`
			`cors:`
			`endpoints:`
			`- userinfo`
			`- authorization`
			`- token`
			`- revocation`
			`- introspection`
			`allowed_origins:`
			`- https://mealie.example.com`
			`allowed_origins_from_client_redirect_uris: false`
			`clients:`
			`- client_id: mealie`
			`client_name: Mealie`
			`authorization_policy: one_factor`
			`redirect_uris:`
			`- https://mealie.example.com/login`
			`public: true`
			`pkce_challenge_method: S256`
			`grant_types:`
			`- authorization_code`
			`scopes:`
			`- openid`
			`- profile`
			`- groups`
			`- email`
			```