From 262dd2b28f863ae7d83e1bc0c886418b2ea07f31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sascha=20I=C3=9Fbr=C3=BCcker?= Date: Mon, 18 Mar 2024 22:41:25 +0100 Subject: [PATCH] Update OIDC configuration defaults --- docs/Options.md | 20 ++++++++++---------- siteroot/settings/base.py | 8 ++++---- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/Options.md b/docs/Options.md index 4fd8e0c..c365fb4 100644 --- a/docs/Options.md +++ b/docs/Options.md @@ -103,21 +103,21 @@ When enabled, this shows a button on the login page that allows users to authent Users are associated by the email address provided from the OIDC provider, which is used as the username in linkding. If there is no user with that email address as username, a new user is created automatically. -This requires configuring a number of other options, which of those you need depends on which OIDC provider you use and how it is configured. +This requires configuring a number of options, which of those you need depends on which OIDC provider you use and how it is configured. In general, you should find the required information in the UI of your OIDC provider, or its documentation. The options are adopted from the [mozilla-django-oidc](https://mozilla-django-oidc.readthedocs.io/en/stable/) library, which is used by linkding for OIDC support. Please check their documentation for more information on the options. -The following options are available: -- `OIDC_RP_CLIENT_ID` - Required. The client ID of your linkding instance in the OIDC provider. -- `OIDC_OP_AUTHORIZATION_ENDPOINT` - Required. The authorization endpoint of the OIDC provider. -- `OIDC_OP_TOKEN_ENDPOINT` - Required. The token endpoint of the OIDC provider. -- `OIDC_OP_USER_ENDPOINT` - Required. The user info endpoint of the OIDC provider. -- `OIDC_USE_PKCE` - Optional. Whether to use PKCE for the OIDC flow. Default is `True`. If you leave this enabled you should configure your OIDC provider to use the PKCE flow as well. You need to disable this if you want to use an authentication flow with a client secret. -- `OIDC_RP_CLIENT_SECRET` - Optional. The client secret of the OIDC application. You need to disable PKCE if you want to use a client secret. -- `OIDC_RP_SIGN_ALGO` - Optional. The signing algorithm to use for the OIDC flow. Default is `HS256`. -- `OIDC_OP_JWKS_ENDPOINT` - Optional. The JWKS endpoint of the OIDC provider. +The following options can be configured: +- `OIDC_OP_AUTHORIZATION_ENDPOINT` - The authorization endpoint of the OIDC provider. +- `OIDC_OP_TOKEN_ENDPOINT` - The token endpoint of the OIDC provider. +- `OIDC_OP_USER_ENDPOINT` - The user info endpoint of the OIDC provider. +- `OIDC_OP_JWKS_ENDPOINT` - The JWKS endpoint of the OIDC provider. +- `OIDC_RP_CLIENT_ID` - The client ID of the application. +- `OIDC_RP_CLIENT_SECRET` - The client secret of the application. +- `OIDC_RP_SIGN_ALGO` - The algorithm the OIDC provider uses to sign ID tokens. Default is `RS256`. +- `OIDC_USE_PKCE` - Whether to use PKCE for the OIDC flow. Default is `True`. ### `LD_CSRF_TRUSTED_ORIGINS` diff --git a/siteroot/settings/base.py b/siteroot/settings/base.py index c072392..fa0145b 100644 --- a/siteroot/settings/base.py +++ b/siteroot/settings/base.py @@ -190,14 +190,14 @@ if LD_ENABLE_OIDC: AUTHENTICATION_BACKENDS.append("mozilla_django_oidc.auth.OIDCAuthenticationBackend") OIDC_USERNAME_ALGO = "bookmarks.utils.generate_username" - OIDC_RP_CLIENT_ID = os.getenv("OIDC_RP_CLIENT_ID") OIDC_OP_AUTHORIZATION_ENDPOINT = os.getenv("OIDC_OP_AUTHORIZATION_ENDPOINT") OIDC_OP_TOKEN_ENDPOINT = os.getenv("OIDC_OP_TOKEN_ENDPOINT") OIDC_OP_USER_ENDPOINT = os.getenv("OIDC_OP_USER_ENDPOINT") - OIDC_USE_PKCE = os.getenv("OIDC_USE_PKCE", True) in (True, "True", "1") - OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET") - OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO", "HS256") OIDC_OP_JWKS_ENDPOINT = os.getenv("OIDC_OP_JWKS_ENDPOINT") + OIDC_RP_CLIENT_ID = os.getenv("OIDC_RP_CLIENT_ID") + OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET") + OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO", "RS256") + OIDC_USE_PKCE = os.getenv("OIDC_USE_PKCE", True) in (True, "True", "1") # Enable authentication proxy support if configured LD_ENABLE_AUTH_PROXY = os.getenv("LD_ENABLE_AUTH_PROXY", False) in (True, "True", "1")