From 9547c3baec401e0eddb24a812631fecbc441dde4 Mon Sep 17 00:00:00 2001 From: noway_/ Date: Tue, 16 Jul 2024 14:00:03 +0200 Subject: [PATCH 1/2] =?UTF-8?q?=20=F0=9F=94=A7=20add=20OIDC=20scope=20opti?= =?UTF-8?q?on?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/authentication.md | 2 ++ docs/configuring.md | 1 + src/utils/ConfigSchema.json | 7 ++++++- src/utils/OidcAuth.js | 4 ++-- 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/authentication.md b/docs/authentication.md index 7cf49a202b..d06ce3688d 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -15,6 +15,7 @@ - [Setting up Keycloak](#2-setup-keycloak-users) - [Configuring Dashy for Keycloak](#3-enable-keycloak-in-dashy-config-file) - [Toubleshooting Keycloak](#troubleshooting-keycloak) +- [OpenID Connect](#oidc) - [Alternative Authentication Methods](#alternative-authentication-methods) - [VPN](#vpn) - [IP-Based Access](#ip-based-access) @@ -283,6 +284,7 @@ appConfig: oidc: clientId: [registered client id] endpoint: [OIDC endpoint] + scope: [The scope(s) to request from the OIDC provider] ``` Because Dashy is a SPA, a [public client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1) registration with PKCE is needed. diff --git a/docs/configuring.md b/docs/configuring.md index acf935757d..c10088f060 100644 --- a/docs/configuring.md +++ b/docs/configuring.md @@ -202,6 +202,7 @@ For more info, see the **[Authentication Docs](/docs/authentication.md)** --- | --- | --- | --- **`clientId`** | `string` | Required | The client id registered in the OIDC server **`endpoint`** | `string` | Required | The URL of the OIDC server that should be used. +**`scope`** | `string` | Required | The scope(s) to request from the OIDC provider **[⬆️ Back to Top](#configuring)** diff --git a/src/utils/ConfigSchema.json b/src/utils/ConfigSchema.json index 6d37322731..4fe057604d 100644 --- a/src/utils/ConfigSchema.json +++ b/src/utils/ConfigSchema.json @@ -565,7 +565,12 @@ "title": "OIDC Client Id", "type": "string", "description": "ClientId from OIDC provider" - } + }, + "scope" : { + "title": "OIDC Scope", + "type": "string", + "description": "The scope(s) to request from the OIDC provider" + } } }, "enableHeaderAuth": { diff --git a/src/utils/OidcAuth.js b/src/utils/OidcAuth.js index 9cec09596a..4d6b6e03f1 100644 --- a/src/utils/OidcAuth.js +++ b/src/utils/OidcAuth.js @@ -13,14 +13,14 @@ const getAppConfig = () => { class OidcAuth { constructor() { const { auth } = getAppConfig(); - const { clientId, endpoint } = auth.oidc; + const { clientId, endpoint, scope } = auth.oidc; const settings = { userStore: new WebStorageStateStore({ store: window.localStorage }), authority: endpoint, client_id: clientId, redirect_uri: `${window.location.origin}`, response_type: 'code', - scope: 'openid profile email roles groups', + scope, response_mode: 'query', filterProtocolClaims: true, }; From 439c73c89f1c7853eb2f8aa0809d7195c06431c3 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Sat, 17 Aug 2024 15:31:20 +0100 Subject: [PATCH 2/2] =?UTF-8?q?=E2=9C=A8=20Specify=20scope,=20or=20fallbac?= =?UTF-8?q?k=20to=20sensible?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/utils/OidcAuth.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/utils/OidcAuth.js b/src/utils/OidcAuth.js index 4d6b6e03f1..5d43840428 100644 --- a/src/utils/OidcAuth.js +++ b/src/utils/OidcAuth.js @@ -20,7 +20,7 @@ class OidcAuth { client_id: clientId, redirect_uri: `${window.location.origin}`, response_type: 'code', - scope, + scope: scope || 'openid profile email roles groups', response_mode: 'query', filterProtocolClaims: true, };