-
-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OIDC #374
Add OIDC #374
Conversation
@onedr0p I've just started with GitHub provider for now to flesh out the approach - then I'll adjust to suit generic identity provider i.e. Authelia, Authentik etc |
- OAUTH_CLIENT_SECRET=someClientSecret | ||
- OAUTH_REDIRECT_URI=http://localhost:4000/auth/authentik/callback | ||
- OAUTH_USER_URL=http://server-authentik:9000/application/o/userinfo/ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@onedr0p Example environment variables for configuring oauth.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good so far.
if user = MediaServer.Accounts.get_user_by_email(get_user!(provider, client).email) do | ||
|
||
MediaServerWeb.UserAuth.log_in_user(conn, user) | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thoughts on this? Here it gets a user registered in the Midarr database that matches the email returned by Authentik, then logs them in.
What's your take on this, and the auth flow?
If a user returned by Authentik doesn't exist in Midarr - register them, then log them in?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wouldn't auto-create users since the source of truth is the OIDC provider, meaning to say they would need to be added to the OIDC provider first and if they aren't an existing user they cannot login. Deny by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking oauth / OIDC provider would be an optional alternative, with Midarr still the source of truth for user auth. There would need to be some level of user mapping to support both options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For now just to keep moving forward - I'll go with the logic as above (user must exist in Midarr and OIDC provider to login).
We can continue to improve the flow in future iterations 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I meant to comment and say pretty much that. 😅
@onedr0p - here's a first pass build on oauth. Please give it a run through, and let me know how it goes 😄
OAUTH_ISSUER_URL=http://localhost:9000
OAUTH_AUTHORIZE_URL=http://localhost:9000/application/o/authorize/
OAUTH_TOKEN_URL=http://server-authentik:9000/application/o/token/
OAUTH_CLIENT_ID=someClientId
OAUTH_CLIENT_SECRET=someClientSecret
OAUTH_REDIRECT_URI=http://localhost:4000/auth/authentik/callback
OAUTH_USER_URL=http://server-authentik:9000/application/o/userinfo/ |
@trueChazza oauth is generic and doesn't matter if it is (for example) authelia/authentik, so your provider should probably be called oauth generic/custom. Take a look at the grafana docs on how they allow people to configure this... Also it might be helpful to look at the docs on Authelia and see how they allow you to configure applications to use OIDC, on the left you can choose an app to see more how it is configured... e.g. BookStack or the many other examples on there like grafana https://www.authelia.com/integration/openid-connect/introduction/ |
Awesome thank you for this! |
# Conflicts: # lib/media_server_web/components/footer_component.html.heex
# Conflicts: # mix.lock
Add OIDC