From 715d5fdb85d60a250f7959b57cf7a8912588e8a6 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Mon, 7 Apr 2025 13:18:52 +0200 Subject: [PATCH] Optimized OIDC integration for mailu --- group_vars/all/07_applications.yml | 22 +++++++++-------- group_vars/all/11_iam.yml | 4 ++++ roles/docker-bigbluebutton/handlers/main.yml | 3 ++- .../templates/import/realm.json.j2 | 2 +- roles/docker-mailu/templates/env.j2 | 24 ++++++++++++++++--- roles/docker-mastodon/templates/env.j2 | 6 +++-- .../templates/synapse/homeserver.yaml.j2 | 2 +- .../templates/config/oidc.config.php.j2 | 2 +- roles/docker-taiga/templates/env.j2 | 8 +++++-- .../templates/global.css.j2 | 6 ++++- 10 files changed, 57 insertions(+), 22 deletions(-) diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index 84ff4dcc..100008df 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -105,14 +105,14 @@ defaults_applications: ## Discourse: discourse: - network: "discourse_default" # Name of the docker network - container: "discourse_application" # Name of the container application - repository: "discourse_repository" # Name of the repository folder + network: "discourse_default" # Name of the docker network + container: "discourse_application" # Name of the container application + repository: "discourse_repository" # Name of the repository folder # database_password: # Needs to be defined in inventory file oidc: - enabled: true # Activate OIDC + enabled: true # Activate OIDC database: - central_storage: True # Activate Central Database Storage + central_storage: True # Activate Central Database Storage matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe @@ -131,7 +131,7 @@ defaults_applications: ## Friendica friendica: - version: "latest" + version: "latest" oidc: enabled: true # Activate OIDC. Plugin is not working yet database: @@ -267,6 +267,8 @@ defaults_applications: setup: false # Set true in inventory file to execute the setup and initializing procedures oidc: enabled: true # Activate OIDC for Mailu + email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used + enable_user_creation: true # Users will be created if not existing domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @ # I don't know why the database deactivation is necessary database: @@ -276,9 +278,9 @@ defaults_applications: # database_password: # Needs to be set in inventory file # api_token: # Configures the authentication token. The minimum length is 3 characters. This is a mandatory setting for using the RESTful API. # initial_administrator_password: # Initial administrator password for setup - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: true # Default enabled because working well in iframe + matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking + css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style + landingpage_iframe_enabled: true # Default enabled because working well in iframe ## MariaDB mariadb: @@ -718,7 +720,7 @@ defaults_applications: # - https://community.taiga.io/t/taiga-and-oidc-plugin/4866 # # Due to this reason this plutin is deactivated atm - enabled: False # De\Activate OIDC for Taiga + enabled: True # De\Activate OIDC for Taiga ## YOURLS diff --git a/group_vars/all/11_iam.yml b/group_vars/all/11_iam.yml index 80954eb8..c314e988 100644 --- a/group_vars/all/11_iam.yml +++ b/group_vars/all/11_iam.yml @@ -24,6 +24,10 @@ defaults_oidc: logout_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout" # Endpoint to log out the user change_credentials: "{{_oidc_client_issuer_url}}account/account-security/signing-in" # URL for managing or changing user credentials button_text: "SSO Login({{primary_domain | upper}})" # Default button text + attributes: + # Attribut to identify the user + username: "preferred_username" + ############################################# ### LDAP ### ############################################# diff --git a/roles/docker-bigbluebutton/handlers/main.yml b/roles/docker-bigbluebutton/handlers/main.yml index 065ffcd2..3f3d7441 100644 --- a/roles/docker-bigbluebutton/handlers/main.yml +++ b/roles/docker-bigbluebutton/handlers/main.yml @@ -62,8 +62,9 @@ greenlight: redis: coturn: - #freeswitch: + freeswitch: bigbluebutton: + mediasoup marker: "# {mark} ANSIBLE MANAGED BLOCK FOR VOLUMES" insertbefore: "^services:" listen: setup bigbluebutton diff --git a/roles/docker-keycloak/templates/import/realm.json.j2 b/roles/docker-keycloak/templates/import/realm.json.j2 index adcff45c..5425b2db 100644 --- a/roles/docker-keycloak/templates/import/realm.json.j2 +++ b/roles/docker-keycloak/templates/import/realm.json.j2 @@ -1499,7 +1499,7 @@ "user.attribute": "username", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "preferred_username", + "claim.name": "{{oidc.attributes.username}}", "jsonType.label": "String" } }, diff --git a/roles/docker-mailu/templates/env.j2 b/roles/docker-mailu/templates/env.j2 index 92ce4213..19c2909e 100644 --- a/roles/docker-mailu/templates/env.j2 +++ b/roles/docker-mailu/templates/env.j2 @@ -159,20 +159,38 @@ AUTH_REQUIRE_TOKENS=True # Enable OpenID Connect. Possible values: True, False OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }} + # OpenID Connect provider configuration URL OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}} -# OpenID redirect URL if HOSTNAME not matching your login url -OIDC_REDIRECT_URL=https://{{domains[application_id]}} + + # OpenID Connect Client ID for Mailu OIDC_CLIENT_ID={{oidc.client.id}} + # OpenID Connect Client secret for Mailu OIDC_CLIENT_SECRET={{oidc.client.secret}} + # Label text for OpenID Connect login button. Default: OpenID Connect -OIDC_BUTTON_NAME=OpenID Connect +OIDC_BUTTON_NAME={{oidc.button_text}} + # Disable TLS certificate verification for the OIDC client. Possible values: True, False OIDC_VERIFY_SSL=True + # Enable redirect to OIDC provider for password change. Possible values: True, False OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True + # Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}} + +{% if applications[application_id].oidc.enabled | bool %} + +# The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., sub), the email address will be constructed as @. Defaults to email. +OIDC_USERNAME_CLAIM={{oidc.attributes.username}} + +# The domain used when constructing an email from a non-email username (e.g., when OIDC_USERNAME_CLAIM=sub). Ignored if OIDC_USERNAME_CLAIM is already an email. Defaults to the value of DOMAIN. +OIDC_USER_DOMAIN={{primary_domain}} +{% endif %} + +# If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to True. +OIDC_ENABLE_USER_CREATION={{ applications[application_id].oidc.enable_user_creation | string | capitalize }} {% endif %} \ No newline at end of file diff --git a/roles/docker-mastodon/templates/env.j2 b/roles/docker-mastodon/templates/env.j2 index d42688bf..d1bd6421 100644 --- a/roles/docker-mastodon/templates/env.j2 +++ b/roles/docker-mastodon/templates/env.j2 @@ -64,12 +64,14 @@ OIDC_DISPLAY_NAME="{{oidc.button_text}}" OIDC_ISSUER={{oidc.client.issuer_url}} OIDC_DISCOVERY=true OIDC_SCOPE="openid,profile,email" -OIDC_UID_FIELD=preferred_username # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak +# @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak +OIDC_UID_FIELD={{oidc.attributes.username}} OIDC_CLIENT_ID={{oidc.client.id}} OIDC_REDIRECT_URI=https://{{domains[application_id]}}/auth/auth/openid_connect/callback OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true OIDC_CLIENT_SECRET={{oidc.client.secret}} -OMNIAUTH_ONLY=true # uncomment to only use OIDC for login / registration buttons +# uncomment to only use OIDC for login / registration buttons +OMNIAUTH_ONLY=true ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true ONE_CLICK_SSO_LOGIN=true {% endif %} \ No newline at end of file diff --git a/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 b/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 index f239009e..a3bbab4c 100644 --- a/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 +++ b/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 @@ -56,7 +56,7 @@ oidc_providers: scopes: ["openid", "profile"] user_mapping_provider: config: - localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" + localpart_template: "{% raw %}{{ user.{% endraw %}{{oidc.attributes.username}} {% raw %}}}{% endraw %}" display_name_template: "{% raw %}{{ user.name }}{% endraw %}" backchannel_logout_enabled: true {% endif %} diff --git a/roles/docker-nextcloud/templates/config/oidc.config.php.j2 b/roles/docker-nextcloud/templates/config/oidc.config.php.j2 index 022301b4..cb9da342 100644 --- a/roles/docker-nextcloud/templates/config/oidc.config.php.j2 +++ b/roles/docker-nextcloud/templates/config/oidc.config.php.j2 @@ -102,7 +102,7 @@ return array ( 'mail' => 'email', 'quota' => 'nextcloudQuota', # 'home' => 'homeDirectory', # Not implemented yet - 'ldap_uid' => 'preferred_username', + 'ldap_uid' => '{{oidc.attributes.username}}', # 'groups' => 'ownCloudGroups', # Not implemented yet # 'login_filter' => 'realm_access_roles', // 'photoURL' => 'picture', diff --git a/roles/docker-taiga/templates/env.j2 b/roles/docker-taiga/templates/env.j2 index be2026dc..3c8f10a8 100644 --- a/roles/docker-taiga/templates/env.j2 +++ b/roles/docker-taiga/templates/env.j2 @@ -57,11 +57,15 @@ OPENID_TOKEN_URL="{{oidc.client.token_url}}" OPENID_CLIENT_ID="{{oidc.client.id}}" OPENID_CLIENT_SECRET="{{oidc.client.secret}}" OPENID_NAME="{{oidc.button_text}}" +OPENID_USERNAME_FIELD="{{oidc.attributes.username}}" + # Default Values -# # OPENID_ID_FIELD="sub" -# OPENID_USERNAME_FIELD="preferred_username" # OPENID_FULLNAME_FIELD="name" # OPENID_EMAIL_FIELD="email" # OPENID_SCOPE="openid email" + +# The following are optional fields to configure filtering users based on the openid-userinfo. A common use case is to allow only specific roles or groups to log into taiga. OPENID_FILTER_FIELD is the name of the claim that's present in the UserInfo. The field is expected to be a list of strings. OPENID_FILTER is the allowed values, comma seperated. +#OPENID_FILTER = "taiga_users,taiga_admins" +#OPENID_FILTER_FIELD = "groups" {% endif %} \ No newline at end of file diff --git a/roles/nginx-modifier-css/templates/global.css.j2 b/roles/nginx-modifier-css/templates/global.css.j2 index 1ae61d3e..5fc3425b 100644 --- a/roles/nginx-modifier-css/templates/global.css.j2 +++ b/roles/nginx-modifier-css/templates/global.css.j2 @@ -1168,7 +1168,7 @@ section.kanban h1, section.kanban h2{ } input.ng-empty::placeholder,.ng-empty::placeholder { - color: rgba(var(--color-rgb-03),0.6); /* Beispiel: roter Platzhaltertext */ + color: rgba(var(--color-rgb-03),0.6); } .lightbox { @@ -1180,6 +1180,10 @@ input.ng-empty::placeholder,.ng-empty::placeholder { border-color: var(--color-70); } +.discover-header { + background: none; +} + /* Portfolio */ .card-img-top i { filter: drop-shadow(4px 4px 4px rgba(var(--color-rgb-23), 0.6));