Optimized OIDC integration for mailu

group_vars/all/07_applications.yml

@@ -267,6 +267,8 @@ defaults_applications:
     setup:                            false                                       # Set true in inventory file to execute the setup and initializing procedures
     oidc:
       enabled:                        true                                        # Activate OIDC for Mailu
+      email_by_username:              true                                        # If true, then the mail is set by the username. If wrong then the OIDC user email is used
+      enable_user_creation:           true                                        # Users will be created if not existing
     domain:                           "{{primary_domain}}"                        # The main domain from which mails will be send \ email suffix behind @
     # I don't know why the database deactivation is necessary
     database:
@@ -718,7 +720,7 @@ defaults_applications:
     # - https://community.taiga.io/t/taiga-and-oidc-plugin/4866
     #
     # Due to this reason this plutin is deactivated atm
-      enabled:                    False                                     # De\Activate OIDC for Taiga
+      enabled:                    True                                     # De\Activate OIDC for Taiga
                                                                             
 
   ## YOURLS

group_vars/all/11_iam.yml

@@ -24,6 +24,10 @@ defaults_oidc:
     logout_url:           "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"      # Endpoint to log out the user
     change_credentials:   "{{_oidc_client_issuer_url}}account/account-security/signing-in"  # URL for managing or changing user credentials
   button_text:            "SSO Login({{primary_domain | upper}})"                           # Default button text
+  attributes:
+    # Attribut to identify the user
+    username:             "preferred_username"
+
 #############################################
 ### LDAP                                  ###
 #############################################

roles/docker-bigbluebutton/handlers/main.yml

@@ -62,8 +62,9 @@
         greenlight:
         redis:
         coturn:
-        #freeswitch:
+        freeswitch:
         bigbluebutton:
+        mediasoup
     marker: "# {mark} ANSIBLE MANAGED BLOCK FOR VOLUMES"
     insertbefore: "^services:"
   listen: setup bigbluebutton

roles/docker-keycloak/templates/import/realm.json.j2

@@ -1499,7 +1499,7 @@
             "user.attribute": "username",
             "id.token.claim": "true",
             "access.token.claim": "true",
-            "claim.name": "preferred_username",
+            "claim.name": "{{oidc.attributes.username}}",
             "jsonType.label": "String"
           }
         },

roles/docker-mailu/templates/env.j2

@@ -159,20 +159,38 @@ AUTH_REQUIRE_TOKENS=True
 
 # Enable OpenID Connect. Possible values: True, False
 OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }}
+
 # OpenID Connect provider configuration URL
 OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
-# OpenID redirect URL if HOSTNAME not matching your login url
+
-OIDC_REDIRECT_URL=https://{{domains[application_id]}}
+
 # OpenID Connect Client ID for Mailu
 OIDC_CLIENT_ID={{oidc.client.id}}
+
 # OpenID Connect Client secret for Mailu
 OIDC_CLIENT_SECRET={{oidc.client.secret}}
+
 # Label text for OpenID Connect login button. Default: OpenID Connect
-OIDC_BUTTON_NAME=OpenID Connect
+OIDC_BUTTON_NAME={{oidc.button_text}}
+
 # Disable TLS certificate verification for the OIDC client. Possible values: True, False
 OIDC_VERIFY_SSL=True
+
 # Enable redirect to OIDC provider for password change. Possible values: True, False
 OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True
+
 # Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password
 OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}}
+
+{% if applications[application_id].oidc.enabled | bool %}
+
+# The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., sub), the email address will be constructed as <OIDC_USERNAME_CLAIM>@<OIDC_USER_DOMAIN>. Defaults to email.
+OIDC_USERNAME_CLAIM={{oidc.attributes.username}}
+
+# The domain used when constructing an email from a non-email username (e.g., when OIDC_USERNAME_CLAIM=sub). Ignored if OIDC_USERNAME_CLAIM is already an email. Defaults to the value of DOMAIN.
+OIDC_USER_DOMAIN={{primary_domain}}
+{% endif %}
+
+# If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to True.
+OIDC_ENABLE_USER_CREATION={{ applications[application_id].oidc.enable_user_creation | string | capitalize }}
 {% endif %}

roles/docker-mastodon/templates/env.j2

@@ -64,12 +64,14 @@ OIDC_DISPLAY_NAME="{{oidc.button_text}}"
 OIDC_ISSUER={{oidc.client.issuer_url}}
 OIDC_DISCOVERY=true
 OIDC_SCOPE="openid,profile,email"
-OIDC_UID_FIELD=preferred_username                       # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
+# @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
+OIDC_UID_FIELD={{oidc.attributes.username}}
 OIDC_CLIENT_ID={{oidc.client.id}}
 OIDC_REDIRECT_URI=https://{{domains[application_id]}}/auth/auth/openid_connect/callback
 OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
 OIDC_CLIENT_SECRET={{oidc.client.secret}}
-OMNIAUTH_ONLY=true                                      # uncomment to only use OIDC for login / registration buttons
+# uncomment to only use OIDC for login / registration buttons
+OMNIAUTH_ONLY=true
 ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true
 ONE_CLICK_SSO_LOGIN=true
 {% endif %}

roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2

@@ -56,7 +56,7 @@ oidc_providers:
     scopes: ["openid", "profile"]
     user_mapping_provider:
       config:
-        localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
+        localpart_template: "{% raw %}{{ user.{% endraw %}{{oidc.attributes.username}} {% raw %}}}{% endraw %}"
         display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
     backchannel_logout_enabled: true
 {% endif %}

roles/docker-nextcloud/templates/config/oidc.config.php.j2

@@ -102,7 +102,7 @@ return array (
         'mail' => 'email',
         'quota' => 'nextcloudQuota',
         # 'home' => 'homeDirectory',    # Not implemented yet
-        'ldap_uid' => 'preferred_username',
+        'ldap_uid' => '{{oidc.attributes.username}}',
         # 'groups' => 'ownCloudGroups', # Not implemented yet
         # 'login_filter' => 'realm_access_roles',
     //    'photoURL' => 'picture',

roles/docker-taiga/templates/env.j2

@@ -57,11 +57,15 @@ OPENID_TOKEN_URL="{{oidc.client.token_url}}"
 OPENID_CLIENT_ID="{{oidc.client.id}}"
 OPENID_CLIENT_SECRET="{{oidc.client.secret}}"
 OPENID_NAME="{{oidc.button_text}}"
+OPENID_USERNAME_FIELD="{{oidc.attributes.username}}"
+
 # Default Values
-#
 # OPENID_ID_FIELD="sub"
-# OPENID_USERNAME_FIELD="preferred_username"
 # OPENID_FULLNAME_FIELD="name"
 # OPENID_EMAIL_FIELD="email"
 # OPENID_SCOPE="openid email"
+
+# The following are optional fields to configure filtering users based on the openid-userinfo. A common use case is to allow only specific roles or groups to log into taiga. OPENID_FILTER_FIELD is the name of the claim that's present in the UserInfo. The field is expected to be a list of strings. OPENID_FILTER is the allowed values, comma seperated.
+#OPENID_FILTER = "taiga_users,taiga_admins"
+#OPENID_FILTER_FIELD = "groups"
 {% endif %}

roles/nginx-modifier-css/templates/global.css.j2

@@ -1168,7 +1168,7 @@ section.kanban h1, section.kanban h2{
 }
 
 input.ng-empty::placeholder,.ng-empty::placeholder  {
-  color: rgba(var(--color-rgb-03),0.6); /* Beispiel: roter Platzhaltertext */
+  color: rgba(var(--color-rgb-03),0.6);
 }
 
 .lightbox {
@@ -1180,6 +1180,10 @@ input.ng-empty::placeholder,.ng-empty::placeholder  {
     border-color: var(--color-70);
 }
 
+.discover-header {
+    background: none;
+}
+
 /* Portfolio */ 
 .card-img-top i {
     filter: drop-shadow(4px 4px 4px rgba(var(--color-rgb-23), 0.6));