Add OIDC #374
Add OIDC #374
Conversation
|
@onedr0p I've just started with GitHub provider for now to flesh out the approach - then I'll adjust to suit generic identity provider i.e. Authelia, Authentik etc |
| - OAUTH_CLIENT_SECRET=someClientSecret | ||
| - OAUTH_REDIRECT_URI=http://localhost:4000/auth/authentik/callback | ||
| - OAUTH_USER_URL=http://server-authentik:9000/application/o/userinfo/ | ||
|
|
There was a problem hiding this comment.
@onedr0p Example environment variables for configuring oauth.
| if user = MediaServer.Accounts.get_user_by_email(get_user!(provider, client).email) do | ||
|
|
||
| MediaServerWeb.UserAuth.log_in_user(conn, user) | ||
| end |
There was a problem hiding this comment.
Thoughts on this? Here it gets a user registered in the Midarr database that matches the email returned by Authentik, then logs them in.
What's your take on this, and the auth flow?
If a user returned by Authentik doesn't exist in Midarr - register them, then log them in?
There was a problem hiding this comment.
I wouldn't auto-create users since the source of truth is the OIDC provider, meaning to say they would need to be added to the OIDC provider first and if they aren't an existing user they cannot login. Deny by default.
There was a problem hiding this comment.
I was thinking oauth / OIDC provider would be an optional alternative, with Midarr still the source of truth for user auth. There would need to be some level of user mapping to support both options.
There was a problem hiding this comment.
For now just to keep moving forward - I'll go with the logic as above (user must exist in Midarr and OIDC provider to login).
We can continue to improve the flow in future iterations 😄
There was a problem hiding this comment.
I meant to comment and say pretty much that. 😅
|
@onedr0p - here's a first pass build on oauth. Please give it a run through, and let me know how it goes 😄
OAUTH_ISSUER_URL=http://localhost:9000
OAUTH_AUTHORIZE_URL=http://localhost:9000/application/o/authorize/
OAUTH_TOKEN_URL=http://server-authentik:9000/application/o/token/
OAUTH_CLIENT_ID=someClientId
OAUTH_CLIENT_SECRET=someClientSecret
OAUTH_REDIRECT_URI=http://localhost:4000/auth/authentik/callback
OAUTH_USER_URL=http://server-authentik:9000/application/o/userinfo/ |
|
@trueChazza oauth is generic and doesn't matter if it is (for example) authelia/authentik, so your provider should probably be called oauth generic/custom. Take a look at the grafana docs on how they allow people to configure this... Also it might be helpful to look at the docs on Authelia and see how they allow you to configure applications to use OIDC, on the left you can choose an app to see more how it is configured... e.g. BookStack or the many other examples on there like grafana https://www.authelia.com/integration/openid-connect/introduction/ |
Awesome thank you for this! |
# Conflicts: # lib/media_server_web/components/footer_component.html.heex
# Conflicts: # mix.lock
Add OIDC