Mirrors/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-10-29 01:04:18 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: Enable OIDC with Synology SSO Server (#4544)

Browse Source
This commit is contained in:
Jonas Graubner
2024-11-19 15:15:58 +01:00
committed by GitHub
parent f194a6d8c8
commit 426f91fb50
3 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/docs/documentation/getting-started/installation/backend-config.md
View File

@@ -95,7 +95,7 @@ Use this only when mealie is run without a webserver or reverse proxy.
For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md) For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md)
| Variables | Default | Description | | Variables | Default | Description |
| ------------------------------------------------- | :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | |---------------------------------------------------|:-------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| OIDC_AUTH_ENABLED | False | Enables authentication via OpenID Connect | | OIDC_AUTH_ENABLED | False | Enables authentication via OpenID Connect |
| OIDC_SIGNUP_ENABLED | True | Enables new users to be created when signing in for the first time with OIDC | | OIDC_SIGNUP_ENABLED | True | Enables new users to be created when signing in for the first time with OIDC |
| OIDC_CONFIGURATION_URL | None | The URL to the OIDC configuration of your provider. This is usually something like https://auth.example.com/.well-known/openid-configuration | | OIDC_CONFIGURATION_URL | None | The URL to the OIDC configuration of your provider. This is usually something like https://auth.example.com/.well-known/openid-configuration |
@@ -107,6 +107,7 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md)
| OIDC_PROVIDER_NAME | OAuth | The provider name is shown in SSO login button. "Login with <OIDC_PROVIDER_NAME\>" | | OIDC_PROVIDER_NAME | OAuth | The provider name is shown in SSO login button. "Login with <OIDC_PROVIDER_NAME\>" |
| OIDC_REMEMBER_ME | False | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked | | OIDC_REMEMBER_ME | False | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked |
| OIDC_USER_CLAIM | email | This is the claim which Mealie will use to look up an existing user by (e.g. "email", "preferred_username") | | OIDC_USER_CLAIM | email | This is the claim which Mealie will use to look up an existing user by (e.g. "email", "preferred_username") |
| OIDC_NAME_CLAIM | name | This is the claim which Mealie will use for the users Full Name |
| OIDC_GROUPS_CLAIM | groups | Optional if not using `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP`. This is the claim Mealie will request from your IdP and will use to compare to `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP` to allow the user to log in to Mealie or is set as an admin. **Your IdP must be configured to grant this claim** | | OIDC_GROUPS_CLAIM | groups | Optional if not using `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP`. This is the claim Mealie will request from your IdP and will use to compare to `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP` to allow the user to log in to Mealie or is set as an admin. **Your IdP must be configured to grant this claim** |
| OIDC_SCOPES_OVERRIDE | None | Advanced configuration used to override the scopes requested from the IdP. **Most users won't need to change this**. At a minimum, 'openid profile email' are required. | | OIDC_SCOPES_OVERRIDE | None | Advanced configuration used to override the scopes requested from the IdP. **Most users won't need to change this**. At a minimum, 'openid profile email' are required. |
| OIDC_TLS_CACERTFILE | None | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`) | | OIDC_TLS_CACERTFILE | None | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`) |

8
mealie/core/security/providers/openid_provider.py
View File

@@ -63,12 +63,14 @@ class OpenIDProvider(AuthProvider[UserInfo]):
try: try:
# some IdPs don't provide a username (looking at you Google), so if we don't have the claim, # some IdPs don't provide a username (looking at you Google), so if we don't have the claim,
# we'll create the user with whatever the USER_CLAIM is (default email) # we'll create the user with whatever the USER_CLAIM is (default email)
username = claims.get("preferred_username", claims.get(settings.OIDC_USER_CLAIM)) username = claims.get(
"preferred_username", claims.get("username", claims.get(settings.OIDC_USER_CLAIM))
)
user = repos.users.create( user = repos.users.create(
{ {
"username": username, "username": username,
"password": "OIDC", "password": "OIDC",
"full_name": claims.get("name"), "full_name": claims.get(settings.OIDC_NAME_CLAIM),
"email": claims.get("email"), "email": claims.get("email"),
"admin": is_admin, "admin": is_admin,
"auth_method": AuthMethod.OIDC, "auth_method": AuthMethod.OIDC,
@@ -96,7 +98,7 @@ class OpenIDProvider(AuthProvider[UserInfo]):
def required_claims(self): def required_claims(self):
settings = get_app_settings() settings = get_app_settings()
claims = {"name", "email", settings.OIDC_USER_CLAIM} claims = {settings.OIDC_NAME_CLAIM, "email", settings.OIDC_USER_CLAIM}
if settings.OIDC_REQUIRES_GROUP_CLAIM: if settings.OIDC_REQUIRES_GROUP_CLAIM:
claims.add(settings.OIDC_GROUPS_CLAIM) claims.add(settings.OIDC_GROUPS_CLAIM)
return claims return claims

1
mealie/core/settings/settings.py
View File

@@ -332,6 +332,7 @@ class AppSettings(AppLoggingSettings):
OIDC_PROVIDER_NAME: str = "OAuth" OIDC_PROVIDER_NAME: str = "OAuth"
OIDC_REMEMBER_ME: bool = False OIDC_REMEMBER_ME: bool = False
OIDC_USER_CLAIM: str = "email" OIDC_USER_CLAIM: str = "email"
OIDC_NAME_CLAIM: str = "name"
OIDC_GROUPS_CLAIM: str | None = "groups" OIDC_GROUPS_CLAIM: str | None = "groups"
OIDC_SCOPES_OVERRIDE: str | None = None OIDC_SCOPES_OVERRIDE: str | None = None
OIDC_TLS_CACERTFILE: str | None = None OIDC_TLS_CACERTFILE: str | None = None