Optimized OIDC integration for mailu

2025-08-29 15:06:26 +02:00 · 2025-04-07 13:18:52 +02:00
parent 2997fb4f5f
commit 715d5fdb85
10 changed files with 57 additions and 22 deletions
--- a/roles/docker-bigbluebutton/handlers/main.yml
+++ b/roles/docker-bigbluebutton/handlers/main.yml
@@ -62,8 +62,9 @@
        greenlight:
        redis:
        coturn:
-        #freeswitch:
+        freeswitch:
        bigbluebutton:
+        mediasoup
    marker: "# {mark} ANSIBLE MANAGED BLOCK FOR VOLUMES"
    insertbefore: "^services:"
  listen: setup bigbluebutton
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@@ -1499,7 +1499,7 @@
            "user.attribute": "username",
            "id.token.claim": "true",
            "access.token.claim": "true",
-            "claim.name": "preferred_username",
+            "claim.name": "{{oidc.attributes.username}}",
            "jsonType.label": "String"
          }
        },
--- a/roles/docker-mailu/templates/env.j2
+++ b/roles/docker-mailu/templates/env.j2
@@ -159,20 +159,38 @@ AUTH_REQUIRE_TOKENS=True

 # Enable OpenID Connect. Possible values: True, False
 OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }}
+
 # OpenID Connect provider configuration URL
 OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
-# OpenID redirect URL if HOSTNAME not matching your login url
-OIDC_REDIRECT_URL=https://{{domains[application_id]}}
+
+
 # OpenID Connect Client ID for Mailu
 OIDC_CLIENT_ID={{oidc.client.id}}
+
 # OpenID Connect Client secret for Mailu
 OIDC_CLIENT_SECRET={{oidc.client.secret}}
+
 # Label text for OpenID Connect login button. Default: OpenID Connect
-OIDC_BUTTON_NAME=OpenID Connect
+OIDC_BUTTON_NAME={{oidc.button_text}}
+
 # Disable TLS certificate verification for the OIDC client. Possible values: True, False
 OIDC_VERIFY_SSL=True
+
 # Enable redirect to OIDC provider for password change. Possible values: True, False
 OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True
+
 # Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password
 OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}}
+
+{% if applications[application_id].oidc.enabled | bool %}
+
+# The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., sub), the email address will be constructed as <OIDC_USERNAME_CLAIM>@<OIDC_USER_DOMAIN>. Defaults to email.
+OIDC_USERNAME_CLAIM={{oidc.attributes.username}}
+
+# The domain used when constructing an email from a non-email username (e.g., when OIDC_USERNAME_CLAIM=sub). Ignored if OIDC_USERNAME_CLAIM is already an email. Defaults to the value of DOMAIN.
+OIDC_USER_DOMAIN={{primary_domain}}
+{% endif %}
+
+# If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to True.
+OIDC_ENABLE_USER_CREATION={{ applications[application_id].oidc.enable_user_creation | string | capitalize }}
 {% endif %}
--- a/roles/docker-mastodon/templates/env.j2
+++ b/roles/docker-mastodon/templates/env.j2
@@ -64,12 +64,14 @@ OIDC_DISPLAY_NAME="{{oidc.button_text}}"
 OIDC_ISSUER={{oidc.client.issuer_url}}
 OIDC_DISCOVERY=true
 OIDC_SCOPE="openid,profile,email"
-OIDC_UID_FIELD=preferred_username                       # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
+# @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
+OIDC_UID_FIELD={{oidc.attributes.username}}
 OIDC_CLIENT_ID={{oidc.client.id}}
 OIDC_REDIRECT_URI=https://{{domains[application_id]}}/auth/auth/openid_connect/callback
 OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
 OIDC_CLIENT_SECRET={{oidc.client.secret}}
-OMNIAUTH_ONLY=true                                      # uncomment to only use OIDC for login / registration buttons
+# uncomment to only use OIDC for login / registration buttons
+OMNIAUTH_ONLY=true
 ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true
 ONE_CLICK_SSO_LOGIN=true
 {% endif %}
--- a/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2
+++ b/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2
@@ -56,7 +56,7 @@ oidc_providers:
    scopes: ["openid", "profile"]
    user_mapping_provider:
      config:
-        localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
+        localpart_template: "{% raw %}{{ user.{% endraw %}{{oidc.attributes.username}} {% raw %}}}{% endraw %}"
        display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
    backchannel_logout_enabled: true
 {% endif %}
--- a/roles/docker-nextcloud/templates/config/oidc.config.php.j2
+++ b/roles/docker-nextcloud/templates/config/oidc.config.php.j2
@@ -102,7 +102,7 @@ return array (
        'mail' => 'email',
        'quota' => 'nextcloudQuota',
        # 'home' => 'homeDirectory',    # Not implemented yet
-        'ldap_uid' => 'preferred_username',
+        'ldap_uid' => '{{oidc.attributes.username}}',
        # 'groups' => 'ownCloudGroups', # Not implemented yet
        # 'login_filter' => 'realm_access_roles',
    //    'photoURL' => 'picture',
--- a/roles/docker-taiga/templates/env.j2
+++ b/roles/docker-taiga/templates/env.j2
@@ -57,11 +57,15 @@ OPENID_TOKEN_URL="{{oidc.client.token_url}}"
 OPENID_CLIENT_ID="{{oidc.client.id}}"
 OPENID_CLIENT_SECRET="{{oidc.client.secret}}"
 OPENID_NAME="{{oidc.button_text}}"
+OPENID_USERNAME_FIELD="{{oidc.attributes.username}}"
+
 # Default Values
-#
 # OPENID_ID_FIELD="sub"
-# OPENID_USERNAME_FIELD="preferred_username"
 # OPENID_FULLNAME_FIELD="name"
 # OPENID_EMAIL_FIELD="email"
 # OPENID_SCOPE="openid email"
+
+# The following are optional fields to configure filtering users based on the openid-userinfo. A common use case is to allow only specific roles or groups to log into taiga. OPENID_FILTER_FIELD is the name of the claim that's present in the UserInfo. The field is expected to be a list of strings. OPENID_FILTER is the allowed values, comma seperated.
+#OPENID_FILTER = "taiga_users,taiga_admins"
+#OPENID_FILTER_FIELD = "groups"
 {% endif %}
--- a/roles/nginx-modifier-css/templates/global.css.j2
+++ b/roles/nginx-modifier-css/templates/global.css.j2
@@ -1168,7 +1168,7 @@ section.kanban h1, section.kanban h2{
 }

 input.ng-empty::placeholder,.ng-empty::placeholder  {
-  color: rgba(var(--color-rgb-03),0.6); /* Beispiel: roter Platzhaltertext */
+  color: rgba(var(--color-rgb-03),0.6);
 }

 .lightbox {
@@ -1180,6 +1180,10 @@ input.ng-empty::placeholder,.ng-empty::placeholder  {
    border-color: var(--color-70);
 }

+.discover-header {
+    background: none;
+}
+
 /* Portfolio */ 
 .card-img-top i {
    filter: drop-shadow(4px 4px 4px rgba(var(--color-rgb-23), 0.6));