Optimized OIDC integration for mailu

2025-08-29 15:06:26 +02:00 · 2025-04-07 13:18:52 +02:00
parent 2997fb4f5f
commit 715d5fdb85
10 changed files with 57 additions and 22 deletions
--- a/roles/docker-mailu/templates/env.j2
+++ b/roles/docker-mailu/templates/env.j2
@@ -159,20 +159,38 @@ AUTH_REQUIRE_TOKENS=True

 # Enable OpenID Connect. Possible values: True, False
 OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }}
+
 # OpenID Connect provider configuration URL
 OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
-# OpenID redirect URL if HOSTNAME not matching your login url
-OIDC_REDIRECT_URL=https://{{domains[application_id]}}
+
+
 # OpenID Connect Client ID for Mailu
 OIDC_CLIENT_ID={{oidc.client.id}}
+
 # OpenID Connect Client secret for Mailu
 OIDC_CLIENT_SECRET={{oidc.client.secret}}
+
 # Label text for OpenID Connect login button. Default: OpenID Connect
-OIDC_BUTTON_NAME=OpenID Connect
+OIDC_BUTTON_NAME={{oidc.button_text}}
+
 # Disable TLS certificate verification for the OIDC client. Possible values: True, False
 OIDC_VERIFY_SSL=True
+
 # Enable redirect to OIDC provider for password change. Possible values: True, False
 OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True
+
 # Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password
 OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}}
+
+{% if applications[application_id].oidc.enabled | bool %}
+
+# The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., sub), the email address will be constructed as <OIDC_USERNAME_CLAIM>@<OIDC_USER_DOMAIN>. Defaults to email.
+OIDC_USERNAME_CLAIM={{oidc.attributes.username}}
+
+# The domain used when constructing an email from a non-email username (e.g., when OIDC_USERNAME_CLAIM=sub). Ignored if OIDC_USERNAME_CLAIM is already an email. Defaults to the value of DOMAIN.
+OIDC_USER_DOMAIN={{primary_domain}}
+{% endif %}
+
+# If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to True.
+OIDC_ENABLE_USER_CREATION={{ applications[application_id].oidc.enable_user_creation | string | capitalize }}
 {% endif %}