github/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-03-12 04:35:35 -07:00
Code Issues Packages Projects Releases Wiki Activity

fix: Enable OIDC with Synology SSO Server ()

Browse Source
This commit is contained in:
Jonas Graubner 2024-11-19 15:15:58 +01:00 committed by GitHub
parent f194a6d8c8
commit 426f91fb50
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 8 additions and 4 deletions
docs/docs/documentation/getting-started/installation
backend-config.md
mealie/core
security/providers
openid_provider.py
settings
settings.py

3
docs/docs/documentation/getting-started/installation/backend-config.md

@ -95,7 +95,7 @@ Use this only when mealie is run without a webserver or reverse proxy.
For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md)
| Variables | Default | Description |
| ------------------------------------------------- | :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|---------------------------------------------------|:-------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| OIDC_AUTH_ENABLED | False | Enables authentication via OpenID Connect |
| OIDC_SIGNUP_ENABLED | True | Enables new users to be created when signing in for the first time with OIDC |
| OIDC_CONFIGURATION_URL | None | The URL to the OIDC configuration of your provider. This is usually something like https://auth.example.com/.well-known/openid-configuration |
@ -107,6 +107,7 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md)
| OIDC_PROVIDER_NAME | OAuth | The provider name is shown in SSO login button. "Login with <OIDC_PROVIDER_NAME\>" |
| OIDC_REMEMBER_ME | False | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked |
| OIDC_USER_CLAIM | email | This is the claim which Mealie will use to look up an existing user by (e.g. "email", "preferred_username") |
| OIDC_NAME_CLAIM | name | This is the claim which Mealie will use for the users Full Name |
| OIDC_GROUPS_CLAIM | groups | Optional if not using `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP`. This is the claim Mealie will request from your IdP and will use to compare to `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP` to allow the user to log in to Mealie or is set as an admin. **Your IdP must be configured to grant this claim** |
| OIDC_SCOPES_OVERRIDE | None | Advanced configuration used to override the scopes requested from the IdP. **Most users won't need to change this**. At a minimum, 'openid profile email' are required. |
| OIDC_TLS_CACERTFILE | None | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`) |

8
mealie/core/security/providers/openid_provider.py

@ -63,12 +63,14 @@ class OpenIDProvider(AuthProvider[UserInfo]):
try:
# some IdPs don't provide a username (looking at you Google), so if we don't have the claim,
# we'll create the user with whatever the USER_CLAIM is (default email)
username = claims.get("preferred_username", claims.get(settings.OIDC_USER_CLAIM))
username = claims.get(
"preferred_username", claims.get("username", claims.get(settings.OIDC_USER_CLAIM))
)
user = repos.users.create(
{
"username": username,
"password": "OIDC",
"full_name": claims.get("name"),
"full_name": claims.get(settings.OIDC_NAME_CLAIM),
"email": claims.get("email"),
"admin": is_admin,
"auth_method": AuthMethod.OIDC,
@ -96,7 +98,7 @@ class OpenIDProvider(AuthProvider[UserInfo]):
def required_claims(self):
settings = get_app_settings()
claims = {"name", "email", settings.OIDC_USER_CLAIM}
claims = {settings.OIDC_NAME_CLAIM, "email", settings.OIDC_USER_CLAIM}
if settings.OIDC_REQUIRES_GROUP_CLAIM:
claims.add(settings.OIDC_GROUPS_CLAIM)
return claims

1
mealie/core/settings/settings.py

@ -332,6 +332,7 @@ class AppSettings(AppLoggingSettings):
OIDC_PROVIDER_NAME: str = "OAuth"
OIDC_REMEMBER_ME: bool = False
OIDC_USER_CLAIM: str = "email"
OIDC_NAME_CLAIM: str = "name"
OIDC_GROUPS_CLAIM: str | None = "groups"
OIDC_SCOPES_OVERRIDE: str | None = None
OIDC_TLS_CACERTFILE: str | None = None