mirror of https://github.com/mealie-recipes/mealie.git synced 2025-11-01 02:33:22 -04:00

Files

Hayden 5f6844eceb feat: Login with OAuth via OpenID Connect (OIDC) (#3280 )

* initial oidc implementation

* add dynamic scheme

* e2e test setup

* add caching

* fix

* try this

* add libldap-2.5 to runtime dependencies (#2849)

* New translations en-us.json (Norwegian) (#2851)

* New Crowdin updates (#2855)

* New translations en-us.json (Italian)

* New translations en-us.json (Norwegian)

* New translations en-us.json (Portuguese)

* fix

* remove cache

* cache yarn deps

* cache docker image

* cleanup action

* lint

* fix tests

* remove not needed variables

* run code gen

* fix tests

* add docs

* move code into custom scheme

* remove unneeded type

* fix oidc admin

* add more tests

* add better spacing on login page

* create auth providers

* clean up testing stuff

* type fixes

* add OIDC auth method to postgres enum

* add option to bypass login screen and go directly to iDP

* remove check so we can fallback to another auth method oauth fails

* Add provider name to be shown at the login screen

* add new properties to admin about api

* fix spec

* add a prompt to change auth method when changing password

* Create new auth section. Add more info on auth methods

* update docs

* run ruff

* update docs

* format

* docs gen

* formatting

* initialize logger in class

* mypy type fixes

* docs gen

* add models to get proper fields in docs and fix serialization

* validate id token before using it

* only request a mealie token on initial callback

* remove unused method

* fix unit tests

* docs gen

* check for valid idToken before getting token

* add iss to mealie token

* check to see if we already have a mealie token before getting one

* fix lock file

* update authlib

* update lock file

* add remember me environment variable

* add user group setting to allow only certain groups to log in

---------

Co-authored-by: Carter Mintey <cmintey8@gmail.com>
Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com>

2024-03-10 13:51:36 -05:00

10 KiB

Raw Blame History

Backend Configuration

API Environment Variables

General

Variables	Default	Description
PUID	911	UserID permissions between host OS and container
PGID	911	GroupID permissions between host OS and container
DEFAULT_GROUP	Home	The default group for users
BASE_URL	http://localhost:8080	Used for Notifications
TOKEN_TIME	48	The time in hours that a login/auth token is valid
API_PORT	9000	The port exposed by backend API. Do not change this if you're running in Docker
API_DOCS	True	Turns on/off access to the API documentation locally.
TZ	UTC	Must be set to get correct date/time on the server
ALLOW_SIGNUP	true	Allow user sign-up without token

Security

Variables	Default	Description
SECURITY_MAX_LOGIN_ATTEMPTS	5	Maximum times a user can provide an invalid password before their account is locked
SECURITY_USER_LOCKOUT_TIME	24	Time in hours for how long a users account is locked

Database

Variables	Default	Description
DB_ENGINE	sqlite	Optional: 'sqlite', 'postgres'
POSTGRES_USER	mealie	Postgres database user
POSTGRES_PASSWORD	mealie	Postgres database password
POSTGRES_SERVER	postgres	Postgres database server address
POSTGRES_PORT	5432	Postgres database port
POSTGRES_DB	mealie	Postgres database name

Email

Variables	Default	Description
SMTP_HOST	None	Required For email
SMTP_PORT	587	Required For email
SMTP_FROM_NAME	Mealie	Required For email
SMTP_AUTH_STRATEGY	TLS	Required For email, Options: 'TLS', 'SSL', 'NONE'
SMTP_FROM_EMAIL	None	Required For email
SMTP_USER	None	Required if SMTP_AUTH_STRATEGY is 'TLS' or 'SSL'
SMTP_PASSWORD	None	Required if SMTP_AUTH_STRATEGY is 'TLS' or 'SSL'

Webworker

Changing the webworker settings may cause unforeseen memory leak issues with Mealie. It's best to leave these at the defaults unless you begin to experience issues with multiple users. Exercise caution when changing these settings

Variables	Default	Description
WEB_GUNICORN	false	Enables Gunicorn to manage Uvicorn web for multiple works
WORKERS_PER_CORE	1	Set the number of workers to the number of CPU cores multiplied by this value (Value * CPUs). More info here
MAX_WORKERS	None	Set the maximum number of workers to use. Default is not set meaning unlimited. More info here
WEB_CONCURRENCY	2	Override the automatic definition of number of workers. More info here

LDAP

Variables	Default	Description
LDAP_AUTH_ENABLED	False	Authenticate via an external LDAP server in addidion to built-in Mealie auth
LDAP_SERVER_URL	None	LDAP server URL (e.g. ldap://ldap.example.com)
LDAP_TLS_INSECURE	False	Do not verify server certificate when using secure LDAP
LDAP_TLS_CACERTFILE	None	File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`)
LDAP_ENABLE_STARTTLS	False	Optional. Use STARTTLS to connect to the server
LDAP_BASE_DN	None	Starting point when searching for users authentication (e.g. `CN=Users,DC=xx,DC=yy,DC=de`)
LDAP_QUERY_BIND	None	Optional bind user for LDAP search queries (e.g. `cn=admin,cn=users,dc=example,dc=com`). If `None` then anonymous bind will be used
LDAP_QUERY_PASSWORD	None	Optional password for the bind user used in LDAP_QUERY_BIND
LDAP_USER_FILTER	None	Optional LDAP filter to narrow down eligible users (e.g. `(memberOf=cn=mealie_user,dc=example,dc=com)`)
LDAP_ADMIN_FILTER	None	Optional LDAP filter, which tells Mealie the LDAP user is an admin (e.g. `(memberOf=cn=admins,dc=example,dc=com)`)
LDAP_ID_ATTRIBUTE	uid	The LDAP attribute that maps to the user's id
LDAP_NAME_ATTRIBUTE	name	The LDAP attribute that maps to the user's name
LDAP_MAIL_ATTRIBUTE	mail	The LDAP attribute that maps to the user's email

OpenID Connect (OIDC)

For usage, see Usage - OpenID Connect

Variables	Default	Description
OIDC_AUTH_ENABLED	False	Enables authentication via OpenID Connect
OIDC_SIGNUP_ENABLED	True	Enables new users to be created when signing in for the first time with OIDC
OIDC_CONFIGURATION_URL	None	The URL to the OIDC configuration of your provider. This is usually something like https://auth.example.com/.well-known/openid-configuration
OIDC_CLIENT_ID	None	The client id of your configured client in your provider
OIDC_USER_GROUP	None	If specified, this group must be present in the user's group claim in order to authenticate
OIDC_ADMIN_GROUP	None	If this group is present in the group claims, the user will be set as an admin
OIDC_AUTO_REDIRECT	False	If `True`, then the login page will be bypassed an you will be sent directly to your Identity Provider. You can still get to the login page by adding `?direct=1` to the login URL
OIDC_PROVIDER_NAME	OAuth	The provider name is shown in SSO login button. "Login with <OIDC_PROVIDER_NAME>"
OIDC_REMEMBER_ME	False	Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked

Themeing

Setting the following environmental variables will change the theme of the frontend. Note that the themes are the same for all users. This is a break-change when migration from v0.x.x -> 1.x.x.

Variables	Default	Description
THEME_LIGHT_PRIMARY	#E58325	Light Theme Config Variable
THEME_LIGHT_ACCENT	#007A99	Light Theme Config Variable
THEME_LIGHT_SECONDARY	#973542	Light Theme Config Variable
THEME_LIGHT_SUCCESS	#43A047	Light Theme Config Variable
THEME_LIGHT_INFO	#1976D2	Light Theme Config Variable
THEME_LIGHT_WARNING	#FF6D00	Light Theme Config Variable
THEME_LIGHT_ERROR	#EF5350	Light Theme Config Variable
THEME_DARK_PRIMARY	#E58325	Dark Theme Config Variable
THEME_DARK_ACCENT	#007A99	Dark Theme Config Variable
THEME_DARK_SECONDARY	#973542	Dark Theme Config Variable
THEME_DARK_SUCCESS	#43A047	Dark Theme Config Variable
THEME_DARK_INFO	#1976D2	Dark Theme Config Variable
THEME_DARK_WARNING	#FF6D00	Dark Theme Config Variable
THEME_DARK_ERROR	#EF5350	Dark Theme Config Variable

10 KiB Raw Blame History