diff --git a/docs/docs/documentation/getting-started/installation/backend-config.md b/docs/docs/documentation/getting-started/installation/backend-config.md index e2f2156f05f..6884bd6f7d0 100644 --- a/docs/docs/documentation/getting-started/installation/backend-config.md +++ b/docs/docs/documentation/getting-started/installation/backend-config.md @@ -95,7 +95,7 @@ Use this only when mealie is run without a webserver or reverse proxy. For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md) | Variables | Default | Description | -| ------------------------------------------------- | :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +|---------------------------------------------------|:-------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | OIDC_AUTH_ENABLED | False | Enables authentication via OpenID Connect | | OIDC_SIGNUP_ENABLED | True | Enables new users to be created when signing in for the first time with OIDC | | OIDC_CONFIGURATION_URL | None | The URL to the OIDC configuration of your provider. This is usually something like https://auth.example.com/.well-known/openid-configuration | @@ -107,6 +107,7 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md) | OIDC_PROVIDER_NAME | OAuth | The provider name is shown in SSO login button. "Login with " | | OIDC_REMEMBER_ME | False | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked | | OIDC_USER_CLAIM | email | This is the claim which Mealie will use to look up an existing user by (e.g. "email", "preferred_username") | +| OIDC_NAME_CLAIM | name | This is the claim which Mealie will use for the users Full Name | | OIDC_GROUPS_CLAIM | groups | Optional if not using `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP`. This is the claim Mealie will request from your IdP and will use to compare to `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP` to allow the user to log in to Mealie or is set as an admin. **Your IdP must be configured to grant this claim** | | OIDC_SCOPES_OVERRIDE | None | Advanced configuration used to override the scopes requested from the IdP. **Most users won't need to change this**. At a minimum, 'openid profile email' are required. | | OIDC_TLS_CACERTFILE | None | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`) | diff --git a/mealie/core/security/providers/openid_provider.py b/mealie/core/security/providers/openid_provider.py index edae74fd1d2..5c2a4b87632 100644 --- a/mealie/core/security/providers/openid_provider.py +++ b/mealie/core/security/providers/openid_provider.py @@ -63,12 +63,14 @@ def authenticate(self) -> tuple[str, timedelta] | None: try: # some IdPs don't provide a username (looking at you Google), so if we don't have the claim, # we'll create the user with whatever the USER_CLAIM is (default email) - username = claims.get("preferred_username", claims.get(settings.OIDC_USER_CLAIM)) + username = claims.get( + "preferred_username", claims.get("username", claims.get(settings.OIDC_USER_CLAIM)) + ) user = repos.users.create( { "username": username, "password": "OIDC", - "full_name": claims.get("name"), + "full_name": claims.get(settings.OIDC_NAME_CLAIM), "email": claims.get("email"), "admin": is_admin, "auth_method": AuthMethod.OIDC, @@ -96,7 +98,7 @@ def authenticate(self) -> tuple[str, timedelta] | None: def required_claims(self): settings = get_app_settings() - claims = {"name", "email", settings.OIDC_USER_CLAIM} + claims = {settings.OIDC_NAME_CLAIM, "email", settings.OIDC_USER_CLAIM} if settings.OIDC_REQUIRES_GROUP_CLAIM: claims.add(settings.OIDC_GROUPS_CLAIM) return claims diff --git a/mealie/core/settings/settings.py b/mealie/core/settings/settings.py index 3508ea1f69e..a0fb6e800bf 100644 --- a/mealie/core/settings/settings.py +++ b/mealie/core/settings/settings.py @@ -332,6 +332,7 @@ def LDAP_ENABLED(self) -> bool: OIDC_PROVIDER_NAME: str = "OAuth" OIDC_REMEMBER_ME: bool = False OIDC_USER_CLAIM: str = "email" + OIDC_NAME_CLAIM: str = "name" OIDC_GROUPS_CLAIM: str | None = "groups" OIDC_SCOPES_OVERRIDE: str | None = None OIDC_TLS_CACERTFILE: str | None = None