forked from mealie-recipes/mealie
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Login with OAuth via OpenID Connect (OIDC) (mealie-recipes#3280)
* initial oidc implementation * add dynamic scheme * e2e test setup * add caching * fix * try this * add libldap-2.5 to runtime dependencies (mealie-recipes#2849) * New translations en-us.json (Norwegian) (mealie-recipes#2851) * New Crowdin updates (mealie-recipes#2855) * New translations en-us.json (Italian) * New translations en-us.json (Norwegian) * New translations en-us.json (Portuguese) * fix * remove cache * cache yarn deps * cache docker image * cleanup action * lint * fix tests * remove not needed variables * run code gen * fix tests * add docs * move code into custom scheme * remove unneeded type * fix oidc admin * add more tests * add better spacing on login page * create auth providers * clean up testing stuff * type fixes * add OIDC auth method to postgres enum * add option to bypass login screen and go directly to iDP * remove check so we can fallback to another auth method oauth fails * Add provider name to be shown at the login screen * add new properties to admin about api * fix spec * add a prompt to change auth method when changing password * Create new auth section. Add more info on auth methods * update docs * run ruff * update docs * format * docs gen * formatting * initialize logger in class * mypy type fixes * docs gen * add models to get proper fields in docs and fix serialization * validate id token before using it * only request a mealie token on initial callback * remove unused method * fix unit tests * docs gen * check for valid idToken before getting token * add iss to mealie token * check to see if we already have a mealie token before getting one * fix lock file * update authlib * update lock file * add remember me environment variable * add user group setting to allow only certain groups to log in --------- Co-authored-by: Carter Mintey <[email protected]> Co-authored-by: Carter <[email protected]>
- Loading branch information
1 parent
bea1a59
commit 5f6844e
Showing
53 changed files
with
1,532 additions
and
399 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
name: E2E Tests | ||
on: | ||
pull_request: | ||
branches: | ||
- mealie-next | ||
jobs: | ||
test: | ||
timeout-minutes: 60 | ||
runs-on: ubuntu-latest | ||
defaults: | ||
run: | ||
working-directory: ./tests/e2e | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- uses: actions/setup-node@v3 | ||
with: | ||
node-version: 18 | ||
cache: 'yarn' | ||
cache-dependency-path: ./tests/e2e/yarn.lock | ||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
- name: Build Image | ||
uses: docker/build-push-action@v5 | ||
with: | ||
file: ./docker/Dockerfile | ||
context: . | ||
push: false | ||
load: true | ||
tags: mealie:e2e | ||
cache-from: type=gha | ||
cache-to: type=gha,mode=max | ||
- name: Deploy E2E Test Environment | ||
run: docker compose up -d | ||
working-directory: ./tests/e2e/docker | ||
- name: Install dependencies | ||
run: npm install -g yarn && yarn | ||
- name: Install Playwright Browsers | ||
run: yarn playwright install --with-deps | ||
- name: Check test environment | ||
run: docker ps | ||
- name: Run Playwright tests | ||
run: yarn playwright test | ||
- name: Destroy Test Environment | ||
if: always() | ||
run: docker compose down --volumes | ||
working-directory: ./tests/e2e/docker |
31 changes: 31 additions & 0 deletions
31
alembic/versions/2024-03-10-05.08.32_09aba125b57a_add_oidc_auth_method.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
"""add OIDC auth method | ||
Revision ID: 09aba125b57a | ||
Revises: 2298bb460ffd | ||
Create Date: 2024-03-10 05:08:32.397027 | ||
""" | ||
|
||
import sqlalchemy as sa | ||
|
||
import mealie.db.migration_types | ||
from alembic import op | ||
|
||
# revision identifiers, used by Alembic. | ||
revision = "09aba125b57a" | ||
down_revision = "2298bb460ffd" | ||
branch_labels = None | ||
depends_on = None | ||
|
||
|
||
def is_postgres(): | ||
return op.get_context().dialect.name == "postgresql" | ||
|
||
|
||
def upgrade(): | ||
if is_postgres(): | ||
op.execute("ALTER TYPE authmethod ADD VALUE 'OIDC'") | ||
|
||
|
||
def downgrade(): | ||
pass |
File renamed without changes.
88 changes: 88 additions & 0 deletions
88
docs/docs/documentation/getting-started/authentication/oidc.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
# OpenID Connect (OIDC) Authentication | ||
|
||
Mealie supports 3rd party authentication via [OpenID Connect (OIDC)](https://openid.net/connect/), an identity layer built on top of OAuth2. OIDC is supported by many identity providers, including: | ||
|
||
- [Authentik](https://goauthentik.io/integrations/sources/oauth/#openid-connect) | ||
- [Authelia](https://www.authelia.com/configuration/identity-providers/open-id-connect/) | ||
- [Keycloak](https://www.keycloak.org/docs/latest/securing_apps/#_oidc) | ||
- [Okta](https://www.okta.com/openid-connect/) | ||
|
||
## Account Linking | ||
|
||
Signing in with OAuth will automatically find your account in Mealie and link to it. If a user does not exist in Mealie, then one will be created (if enabled), but will be unable to log in with any other authentication method. An admin can configure another authentication method for such a user. | ||
|
||
## Provider Setup | ||
|
||
Before you can start using OIDC Authentication, you must first configure a new client application in your identity provider. Your identity provider must support the OAuth **Authorization Code** flow (with PKCE). The steps will vary by provider, but generally, the steps are as follows. | ||
|
||
1. Create a new client application | ||
- The Provider type should be OIDC or OAuth2 | ||
- The Grant type should be `Authorization Code` | ||
- The Application type should be `Web` | ||
- The Client type should be `public` | ||
|
||
2. Configure redirect URI | ||
|
||
The only redirect URI that is needed is `http(s):https://DOMAIN:PORT/login` | ||
|
||
The redirect URI should include any URL that Mealie is accessible from. Some examples include | ||
|
||
https://localhost:9091/login | ||
https://mealie.example.com/login | ||
|
||
3. Configure origins | ||
|
||
If your identity provider enforces CORS on any endpoints, you will need to specify your Mealie URL as an Allowed Origin. | ||
|
||
4. Configure allowed scopes | ||
|
||
The scopes required are `openid profile email groups` | ||
|
||
## Mealie Setup | ||
|
||
Take the client id and your discovery URL and update your environment variables to include the required OIDC variables described in [Installation - Backend Configuration](../installation/backend-config.md#openid-connect-oidc) | ||
|
||
## Examples | ||
|
||
### Authelia | ||
|
||
Follow the instructions in [Authelia's documentation](https://www.authelia.com/configuration/identity-providers/open-id-connect/). Below is an example config | ||
|
||
!!! warning | ||
|
||
This is only an example and not meant to be an exhaustive configuration. You should read read through the documentation and adjust your configuration as needed. | ||
|
||
```yaml | ||
identity_providers: | ||
oidc: | ||
access_token_lifespan: 1h | ||
authorize_code_lifespan: 1m | ||
id_token_lifespan: 1h | ||
refresh_token_lifespan: 90m | ||
enable_client_debug_messages: false | ||
enforce_pkce: public_clients_only | ||
cors: | ||
endpoints: | ||
- authorization | ||
- token | ||
- revocation | ||
- introspection | ||
allowed_origins: | ||
- https://mealie.example.com | ||
allowed_origins_from_client_redirect_uris: false | ||
clients: | ||
- id: mealie | ||
description: Mealie | ||
authorization_policy: one_factor | ||
redirect_uris: | ||
- https://mealie.example.com/login | ||
public: true | ||
grant_types: | ||
- authorization_code | ||
scopes: | ||
- openid | ||
- profile | ||
- groups | ||
- offline_access | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
docs/docs/documentation/getting-started/usage/permissions-and-public-access.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.