From 7df34890d4f75b9e249f703031f3ecc991ff1ec1 Mon Sep 17 00:00:00 2001 From: Carter Mintey Date: Sat, 16 Mar 2024 01:37:55 +0000 Subject: [PATCH 1/5] update authelia example config --- .../getting-started/authentication/oidc.md | 107 ++++++++++++------ docs/docs/overrides/api.html | 2 +- docs/mkdocs.yml | 3 +- 3 files changed, 76 insertions(+), 36 deletions(-) diff --git a/docs/docs/documentation/getting-started/authentication/oidc.md b/docs/docs/documentation/getting-started/authentication/oidc.md index 55ee1c1b345..59c9f5a0a72 100644 --- a/docs/docs/documentation/getting-started/authentication/oidc.md +++ b/docs/docs/documentation/getting-started/authentication/oidc.md @@ -52,37 +52,76 @@ Follow the instructions in [Authelia's documentation](https://www.authelia.com/c This is only an example and not meant to be an exhaustive configuration. You should read through the documentation and adjust your configuration as needed. -```yaml -identity_providers: - oidc: - access_token_lifespan: 1h - authorize_code_lifespan: 1m - id_token_lifespan: 1h - refresh_token_lifespan: 90m - enable_client_debug_messages: false - enforce_pkce: public_clients_only - cors: - endpoints: - - authorization - - token - - revocation - - introspection - allowed_origins: - - https://mealie.example.com - allowed_origins_from_client_redirect_uris: false - clients: - - id: mealie - description: Mealie - authorization_policy: one_factor - redirect_uris: - - https://mealie.example.com/login - public: true - grant_types: - - authorization_code - scopes: - - openid - - profile - - groups - - email - - offline_access -``` +=== "v4.37" + + This configuration format has been deprecated in Authelia v4.38. It is still valid, however it will eventually be removed. + + ```yaml + identity_providers: + oidc: + access_token_lifespan: 1h + authorize_code_lifespan: 1m + id_token_lifespan: 1h + refresh_token_lifespan: 90m + enable_client_debug_messages: false + enforce_pkce: public_clients_only + cors: + endpoints: + - authorization + - token + - revocation + - introspection + allowed_origins: + - https://mealie.example.com + clients: + - id: mealie + description: Mealie + authorization_policy: one_factor + redirect_uris: + - https://mealie.example.com/login + public: true + grant_types: + - authorization_code + scopes: + - openid + - profile + - groups + - email + ``` + +=== "v4.38" + + The configuration in Authelia v4.38 has changed. Although the old configuration will still work, it is deprecated and will eventually be removed. + + ```yaml + identity_providers: + oidc: + jwks: + - key: {{ secret "/secrets/private_key_file" | mindent 10 "|" | msquote }} + enforce_pkce: public_clients_only + cors: + endpoints: + - userinfo + - authorization + - token + - revocation + - introspection + allowed_origins: + - https://mealie.example.com + allowed_origins_from_client_redirect_uris: false + clients: + - client_id: mealie + client_name: Mealie + authorization_policy: one_factor + redirect_uris: + - https://mealie.example.com/login + public: true + pkce_challenge_method: S256 + grant_types: + - authorization_code + scopes: + - openid + - profile + - groups + - email + ``` diff --git a/docs/docs/overrides/api.html b/docs/docs/overrides/api.html index 4198afcc606..2523f972259 100644 --- a/docs/docs/overrides/api.html +++ b/docs/docs/overrides/api.html @@ -14,7 +14,7 @@
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index c10dcdce8c5..47b69cb448d 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -41,7 +41,8 @@ markdown_extensions: custom_checkbox: true - admonition - attr_list - - pymdownx.tabbed + - pymdownx.tabbed: + alternate_style: true - pymdownx.superfences: custom_fences: - name: mermaid From 9270e22f193c03f0441e1612dd1dc56803f282ad Mon Sep 17 00:00:00 2001 From: Carter Mintey Date: Sat, 16 Mar 2024 01:41:38 +0000 Subject: [PATCH 2/5] clarify docs --- .../docs/documentation/getting-started/authentication/oidc.md | 2 +- .../getting-started/installation/backend-config.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docs/documentation/getting-started/authentication/oidc.md b/docs/docs/documentation/getting-started/authentication/oidc.md index 59c9f5a0a72..1d6a1686a52 100644 --- a/docs/docs/documentation/getting-started/authentication/oidc.md +++ b/docs/docs/documentation/getting-started/authentication/oidc.md @@ -13,7 +13,7 @@ Signing in with OAuth will automatically find your account in Mealie and link to ## Provider Setup -Before you can start using OIDC Authentication, you must first configure a new client application in your identity provider. Your identity provider must support the OAuth **Authorization Code** flow (with PKCE). The steps will vary by provider, but generally, the steps are as follows. +Before you can start using OIDC Authentication, you must first configure a new client application in your identity provider. Your identity provider must support the OAuth **Authorization Code flow with PKCE**. The steps will vary by provider, but generally, the steps are as follows. 1. Create a new client application - The Provider type should be OIDC or OAuth2 diff --git a/docs/docs/documentation/getting-started/installation/backend-config.md b/docs/docs/documentation/getting-started/installation/backend-config.md index 911b526fc3c..657b42e72bf 100644 --- a/docs/docs/documentation/getting-started/installation/backend-config.md +++ b/docs/docs/documentation/getting-started/installation/backend-config.md @@ -85,8 +85,8 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc.md) | OIDC_SIGNUP_ENABLED | True | Enables new users to be created when signing in for the first time with OIDC | | OIDC_CONFIGURATION_URL | None | The URL to the OIDC configuration of your provider. This is usually something like https://auth.example.com/.well-known/openid-configuration | | OIDC_CLIENT_ID | None | The client id of your configured client in your provider | -| OIDC_USER_GROUP| None | If specified, this group must be present in the user's group claim in order to authenticate | -| OIDC_ADMIN_GROUP | None | If this group is present in the group claims, the user will be set as an admin | +| OIDC_USER_GROUP| None | If specified, only users belonging to this group will be able to successfully authenticate, regardless of the OIDC_ADMIN_GROUP | +| OIDC_ADMIN_GROUP | None | If specified, users belonging to this group will be made an admin | | OIDC_AUTO_REDIRECT | False | If `True`, then the login page will be bypassed an you will be sent directly to your Identity Provider. You can still get to the login page by adding `?direct=1` to the login URL | | OIDC_PROVIDER_NAME | OAuth | The provider name is shown in SSO login button. "Login with " | | OIDC_REMEMBER_ME | False | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked | From d7bc1c75dacb054bad4bac5f16a7fd9ef627768b Mon Sep 17 00:00:00 2001 From: Carter Mintey Date: Sun, 17 Mar 2024 15:21:15 +0000 Subject: [PATCH 3/5] add redirect uri required for idps with rp-initiated logout --- .../getting-started/authentication/oidc.md | 10 +++++++--- docs/docs/overrides/api.html | 2 +- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/docs/documentation/getting-started/authentication/oidc.md b/docs/docs/documentation/getting-started/authentication/oidc.md index 1d6a1686a52..88c4488c92f 100644 --- a/docs/docs/documentation/getting-started/authentication/oidc.md +++ b/docs/docs/documentation/getting-started/authentication/oidc.md @@ -1,6 +1,6 @@ # OpenID Connect (OIDC) Authentication -Mealie supports 3rd party authentication via [OpenID Connect (OIDC)](https://openid.net/connect/), an identity layer built on top of OAuth2. OIDC is supported by many identity providers, including: +Mealie supports 3rd party authentication via [OpenID Connect (OIDC)](https://openid.net/connect/), an identity layer built on top of OAuth2. OIDC is supported by many Identity Providers (IdP), including: - [Authentik](https://goauthentik.io/integrations/sources/oauth/#openid-connect) - [Authelia](https://www.authelia.com/configuration/identity-providers/open-id-connect/) @@ -23,9 +23,13 @@ Before you can start using OIDC Authentication, you must first configure a new c 2. Configure redirect URI - The only redirect URI that is needed is `http(s)://DOMAIN:PORT/login` + The redirect URI(s) that are needed: - The redirect URI should include any URL that Mealie is accessible from. Some examples include + 1. `http(s)://DOMAIN:PORT/login` + 2. `https(s)://DOMAIN:PORT/login?direct=1` + 1. This URI is only required if your IdP supports [RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) such as Keycloak. You may also be able to combine this into the previous URI by using a wildcard: `http(s)://DOMAIN:PORT/login*` + + The redirect URI(s) should include any URL that Mealie is accessible from. Some examples include http://localhost:9091/login https://mealie.example.com/login diff --git a/docs/docs/overrides/api.html b/docs/docs/overrides/api.html index 2523f972259..ae00bf6acc2 100644 --- a/docs/docs/overrides/api.html +++ b/docs/docs/overrides/api.html @@ -14,7 +14,7 @@
From e17b8b813cad5e195d2e260692836d9643f76c54 Mon Sep 17 00:00:00 2001 From: Carter Mintey Date: Mon, 18 Mar 2024 15:04:01 +0000 Subject: [PATCH 4/5] Remove examples from docs and link to GH discussions --- .../getting-started/authentication/oidc.md | 82 +------------------ docs/docs/overrides/api.html | 2 +- 2 files changed, 2 insertions(+), 82 deletions(-) diff --git a/docs/docs/documentation/getting-started/authentication/oidc.md b/docs/docs/documentation/getting-started/authentication/oidc.md index 88c4488c92f..ab31c12ff6a 100644 --- a/docs/docs/documentation/getting-started/authentication/oidc.md +++ b/docs/docs/documentation/getting-started/authentication/oidc.md @@ -48,84 +48,4 @@ Take the client id and your discovery URL and update your environment variables ## Examples -### Authelia - -Follow the instructions in [Authelia's documentation](https://www.authelia.com/configuration/identity-providers/open-id-connect/). Below is an example config. - -!!! warning - - This is only an example and not meant to be an exhaustive configuration. You should read through the documentation and adjust your configuration as needed. - -=== "v4.37" - - This configuration format has been deprecated in Authelia v4.38. It is still valid, however it will eventually be removed. - - ```yaml - identity_providers: - oidc: - access_token_lifespan: 1h - authorize_code_lifespan: 1m - id_token_lifespan: 1h - refresh_token_lifespan: 90m - enable_client_debug_messages: false - enforce_pkce: public_clients_only - cors: - endpoints: - - authorization - - token - - revocation - - introspection - allowed_origins: - - https://mealie.example.com - clients: - - id: mealie - description: Mealie - authorization_policy: one_factor - redirect_uris: - - https://mealie.example.com/login - public: true - grant_types: - - authorization_code - scopes: - - openid - - profile - - groups - - email - ``` - -=== "v4.38" - - The configuration in Authelia v4.38 has changed. Although the old configuration will still work, it is deprecated and will eventually be removed. - - ```yaml - identity_providers: - oidc: - jwks: - - key: {{ secret "/secrets/private_key_file" | mindent 10 "|" | msquote }} - enforce_pkce: public_clients_only - cors: - endpoints: - - userinfo - - authorization - - token - - revocation - - introspection - allowed_origins: - - https://mealie.example.com - allowed_origins_from_client_redirect_uris: false - clients: - - client_id: mealie - client_name: Mealie - authorization_policy: one_factor - redirect_uris: - - https://mealie.example.com/login - public: true - pkce_challenge_method: S256 - grant_types: - - authorization_code - scopes: - - openid - - profile - - groups - - email - ``` +Example configurations for several Identity Providers have been provided by the Community in the [GitHub Discussions](https://github.com/mealie-recipes/mealie/discussions?discussions_q=is%3Aopen+OAuth+setup). If you don't see your provider and have successfully set it up, please consider creating your own post so that others can have a smoother setup. diff --git a/docs/docs/overrides/api.html b/docs/docs/overrides/api.html index ae00bf6acc2..542d50c80d7 100644 --- a/docs/docs/overrides/api.html +++ b/docs/docs/overrides/api.html @@ -14,7 +14,7 @@
From 370da5aee33cd2d882674af03ccdb2b21720b0f5 Mon Sep 17 00:00:00 2001 From: Carter Mintey Date: Tue, 19 Mar 2024 01:06:45 +0000 Subject: [PATCH 5/5] update links --- .../docs/documentation/getting-started/authentication/oidc.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/docs/documentation/getting-started/authentication/oidc.md b/docs/docs/documentation/getting-started/authentication/oidc.md index ab31c12ff6a..fc8764ffe87 100644 --- a/docs/docs/documentation/getting-started/authentication/oidc.md +++ b/docs/docs/documentation/getting-started/authentication/oidc.md @@ -48,4 +48,6 @@ Take the client id and your discovery URL and update your environment variables ## Examples -Example configurations for several Identity Providers have been provided by the Community in the [GitHub Discussions](https://github.com/mealie-recipes/mealie/discussions?discussions_q=is%3Aopen+OAuth+setup). If you don't see your provider and have successfully set it up, please consider creating your own post so that others can have a smoother setup. +Example configurations for several Identity Providers have been provided by the Community in the [GitHub Discussions](https://github.com/mealie-recipes/mealie/discussions/categories/oauth-provider-example). + +If you don't see your provider and have successfully set it up, please consider [creating your own example](https://github.com/mealie-recipes/mealie/discussions/new?category=oauth-provider-example) so that others can have a smoother setup.