Implemented OIDC für mastodon

2025-10-31 02:10:05 +00:00 · 2025-02-06 18:19:42 +01:00
parent 31ee369a90
commit 95f3fdb130
2 changed files with 32 additions and 1 deletions
--- a/roles/docker-mastodon/templates/env.j2
+++ b/roles/docker-mastodon/templates/env.j2
@@ -1,3 +1,5 @@
+# @see https://docs.joinmastodon.org/admin/config
+
 LOCAL_DOMAIN={{domain}}
 ALTERNATE_DOMAINS="{{ domains.mastodon_alternates | join(',') }}"
 SINGLE_USER_MODE={{applications.mastodon.single_user_mode}}
@@ -27,4 +29,26 @@ SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>

 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= {{mastodon_active_record_encryption_deterministic_key}}
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{mastodon_active_record_encryption_key_derivation_salt}}
-ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{mastodon_active_record_encryption_primary_key}}
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{mastodon_active_record_encryption_primary_key}}
+
+{% if oidc.enabled | bool %}
+################################### 
+# OpenID Connect settings
+###################################
+# @see https://github.com/mastodon/mastodon/pull/16221
+# @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso
+
+OIDC_ENABLED={{ oidc.enabled | string | lower }}
+OIDC_DISPLAY_NAME="{{primary_domain}} SSO"
+OIDC_ISSUER={{oidc.client.issuer_url}}
+OIDC_DISCOVERY=true
+OIDC_SCOPE="openid,profile,email"
+OIDC_UID_FIELD=preferred_username                       # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
+OIDC_CLIENT_ID={{oidc.client.id}}
+OIDC_REDIRECT_URI=https://{{domain}}
+OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
+OIDC_CLIENT_SECRET={{oidc.client.secret}}
+OMNIAUTH_ONLY=true                                      # uncomment to only use OIDC for login / registration buttons
+ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true
+ONE_CLICK_SSO_LOGIN=true
+{% endif %}