Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support OIDC authentication #184

Open
wants to merge 73 commits into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 41 commits
Commits
Show all changes
73 commits
Select commit Hold shift + click to select a range
8d64b6f
feat: support OIDC authentication
michaelhthomas Jul 11, 2022
158feb4
refactor: decouple Plex OAuth login from primary login components
michaelhthomas Jul 11, 2022
312b3df
chore: update & fix translations
michaelhthomas Jul 11, 2022
c0e8934
Merge branch 'develop' into oidc-login
michaelhthomas Jul 15, 2022
377d765
fix: make jellyfin login properly communicate with setup
michaelhthomas Jul 23, 2022
2989aba
Merge remote-tracking branch 'upstream/develop' into oidc-login
michaelhthomas Sep 18, 2022
2e7c0be
fix: do not require a server restart to update OIDC issuer
michaelhthomas Sep 25, 2022
88dfb99
fix: ignore trailing slashes in oidc issuer url
michaelhthomas Sep 25, 2022
88ac5af
fix: don't get stuck in an infinite loop if oidc server validation fails
michaelhthomas Sep 25, 2022
1c8829a
fix: do not remove trailing slash from OIDC issuer URL as some provid…
michaelhthomas Oct 26, 2022
617653c
fix: use OIDC id_token to validate user
michaelhthomas Oct 30, 2022
83876e0
perf: cache oidc provider endpoint configuration
michaelhthomas Oct 30, 2022
70c6eaf
fix: restore rounded corners & fix styling bugs
michaelhthomas Nov 14, 2022
32c8b72
fix: ensure correct login page sections are visible
michaelhthomas Nov 14, 2022
67b0c73
fix: separate option for enabling/disabling media server login
michaelhthomas Nov 16, 2022
492aaa4
chore: extract translations
michaelhthomas Nov 18, 2022
3f428e2
wip: merge upstream
michaelhthomas Nov 20, 2022
032f162
Merge remote-tracking branch 'upstream/develop' into oidc-login-upstream
michaelhthomas Nov 20, 2022
90b6285
fix: improve validation for login methods settings
michaelhthomas Nov 29, 2022
795f1fc
chore: remove unnecessary deps
michaelhthomas Nov 29, 2022
8e72c6c
fix: remove OIDC server information from public settings interface
michaelhthomas Nov 29, 2022
77dd853
fix: clean up OIDC login component
michaelhthomas Nov 29, 2022
c273a86
chore: extract translations
michaelhthomas Nov 29, 2022
37ac6b6
Merge branch 'upstream/develop' into oidc-login
Fallenbagel Dec 3, 2022
6461e93
chore: update documentation
michaelhthomas Dec 7, 2022
4c4168c
fix: allow unknown query parameters on oidc callback route
michaelhthomas Dec 13, 2022
1a36f9a
fix: make oidc issuer domain validation less strict
michaelhthomas Dec 13, 2022
d0bf2ec
fix: continue showing loading spinner while redirecting to home page
michaelhthomas Dec 13, 2022
48041f8
feat: merge claims from userinfo response, return json responses from…
michaelhthomas Dec 13, 2022
be7efa3
feat: add oidc callback page and proper error handling
michaelhthomas Dec 13, 2022
a9d2532
fix: accept OIDC audience claim as an array
michaelhthomas Dec 14, 2022
0036d35
feat: allow matching OIDC users to plex/emby/jellyfin by username
michaelhthomas Dec 24, 2022
7ea15dd
chore: extract translations
michaelhthomas Dec 24, 2022
1b9e3a7
Merge remote-tracking branch 'upstream/develop' into oidc-login
michaelhthomas Dec 25, 2022
ea1a59e
Merge remote-tracking branch 'upstream/develop' into oidc-login
michaelhthomas Jan 28, 2023
20983ff
fix: support logging in without popup window
michaelhthomas Feb 21, 2023
e03cb1f
chore: revert translations, add OIDC ones
michaelhthomas Feb 21, 2023
df44afe
Merge remote-tracking branch 'upstream/develop' into oidc-login
michaelhthomas Mar 1, 2023
21cb70f
fix: use preferred_username for new user creation
michaelhthomas Apr 4, 2023
e6d6578
Merge remote-tracking branch 'upstream/develop' into oidc-login
michaelhthomas Jun 11, 2023
c46f0b4
Merge remote-tracking branch 'origin/develop' into pr-184
Fallenbagel Aug 11, 2023
be008cc
Merge branch 'develop' into oidc-login
Fallenbagel Nov 7, 2023
2cf0ed9
feat(Modal): support configuring button type attribute
michaelhthomas Aug 13, 2023
8ac5354
feat: move oidc settings to modal
michaelhthomas Aug 13, 2023
c8abea0
chore(settings): remove extraneous change
michaelhthomas Aug 13, 2023
b9edaf7
fix(auth.ts): improve error handling
michaelhthomas Aug 21, 2023
80f3b19
feat(server): move oidc settings to object, add required claims and s…
michaelhthomas Oct 2, 2023
6ab00e3
feat(client): update settings to support new config schema
michaelhthomas Oct 2, 2023
847d0e2
fix(OidcSettings): simplify settings modal and improve behavior
michaelhthomas Oct 2, 2023
324e76e
fix(User): allow FindOperator queries for email
michaelhthomas Oct 2, 2023
729acb5
fix: update public settings and usages
michaelhthomas Oct 2, 2023
897dbda
fix(auth): modify error message
michaelhthomas Oct 2, 2023
06ab0d4
chore(callback): fix lint error
michaelhthomas Oct 2, 2023
5108699
feat: display new settings in advanced section of modal
michaelhthomas Dec 9, 2023
dc8251f
style: clean up auth routes & types
michaelhthomas Dec 9, 2023
d89ce70
fix(OidcModal): properly rotate accordion dropdown
michaelhthomas Dec 9, 2023
863d537
feat(oidc): add automatic login option
michaelhthomas Dec 9, 2023
54bfd4f
Merge remote-tracking branch 'upstream/develop' into oidc-login
michaelhthomas Dec 9, 2023
b30803a
chore: update API documentation
michaelhthomas Dec 9, 2023
9706853
chore(api-spec): remove extraneous changes
michaelhthomas Dec 9, 2023
6b7dc5c
style: move oidc types into interfaces file
michaelhthomas Dec 9, 2023
6ade3e4
fix(client): add automatic login to default settings
michaelhthomas Dec 9, 2023
d3e477d
fix: properly validate custom user identifiers and required claims
michaelhthomas Dec 10, 2023
6b9c774
fix(callback): show correct error message when OIDC errors occur
michaelhthomas Dec 10, 2023
ddde1d9
fix: don't assume the email claim is present for user registration
michaelhthomas Dec 10, 2023
a911f95
fix(OidcModal): tweak advanced settings collapse ui
michaelhthomas Dec 10, 2023
f9f1a39
chore: update settings documentation
michaelhthomas Dec 10, 2023
f37c416
fix: improve validation of issuer url
michaelhthomas Jan 7, 2024
f1d9ffa
Merge remote-tracking branch 'upstream/develop' into oidc-login
michaelhthomas Jan 7, 2024
6567236
Merge branch 'develop' into oidc-login
Fallenbagel Feb 23, 2024
def0d32
Merge branch 'develop' into oidc-login
Fallenbagel Feb 23, 2024
7867509
fix(OidcModal): avoid using URL.canParse
michaelhthomas Mar 26, 2024
2967878
Merge remote-tracking branch 'origin/develop' into oidc-login
Fallenbagel May 29, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/extending-overseerr/reverse-proxy.md
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ location ^~ /overseerr {
sub_filter '\/_next' '\/$app\/_next';
sub_filter '/_next' '/$app/_next';
sub_filter '/api/v1' '/$app/api/v1';
sub_filter '/login/plex/loading' '/$app/login/plex/loading';
sub_filter '/login/popup/loading' '/$app/login/popup/loading';
sub_filter '/images/' '/$app/images/';
sub_filter '/android-' '/$app/android-';
sub_filter '/apple-' '/$app/apple-';
Expand Down
16 changes: 16 additions & 0 deletions docs/using-overseerr/settings/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,22 @@ When disabled, Plex OAuth becomes the only sign-in option, and any "local users"

This setting is **enabled** by default.

## Enable Media Server Sign-In

When enabled, users will be able to sign in on the login screen using their Plex / Jellyfin accounts.

When disabled, local sign-in will be the only option.

This setting is **enabled** by default.

## Enable OIDC Sign-In

When enabled, allows users to sign in to local accounts using an OIDC identity provider, which requires additional configuration.

For this setting to function properly, the OIDC Issuer URL, Provider Name, Client ID, and Client Secret must all be properly set.

This setting is **disabled** by default.

### Enable New Plex Sign-In

When enabled, users with access to your Plex server will be able to sign in to Overseerr even if they have not yet been imported. Users will be automatically assigned the permissions configured in the [Default Permissions](#default-permissions) setting upon first sign-in.
Expand Down
79 changes: 79 additions & 0 deletions overseerr-api.yml
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,27 @@ components:
localLogin:
type: boolean
example: true
mediaServerLogin:
type: boolean
example: true
oidcLogin:
type: boolean
example: true
oidcName:
type: string
example: Keycloak
oidcClientId:
type: string
example: your-client-id
oidcClientSecret:
type: string
example: your-client-secret
oidcDomain:
type: string
example: https://auth.example.com
oidcMatchUsername:
type: boolean
example: true
mediaServerType:
type: number
example: 1
Expand Down Expand Up @@ -3651,6 +3672,64 @@ paths:
type: string
required:
- password
/auth/oidc-login:
get:
security: []
summary: Redirect to the OpenID Connect provider
description: Constructs the redirect URL to the OpenID Connect provider, and redirects the user to it.
tags:
- auth
responses:
'302':
description: Redirect to the authentication url for the OpenID Connect provider
headers:
Location:
schema:
type: string
example: https://example.com/auth/oidc/callback?response_type=code&client_id=client_id&redirect_uri=https%3A%2F%2Fexample.com%2Fauth%2Foidc%2Fcallback&scope=openid%20email&state=state
Set-Cookie:
schema:
type: string
example: 'oidc-state=123456789; HttpOnly; max-age=60000; Secure'
/auth/oidc-callback:
get:
security: []
summary: The callback endpoint for the OpenID Connect provider redirect
description: Takes the `code` and `state` parameters from the OpenID Connect provider, and exchanges them for a token.
x-allow-unknown-query-parameters: true
parameters:
- in: query
name: code
required: true
schema:
type: string
example: '123456789'
- in: query
name: state
required: true
schema:
type: string
example: '123456789'
- in: cookie
name: oidc-state
required: true
schema:
type: string
example: '123456789'
tags:
- auth
responses:
'302':
description: A redirect to the home page if successful or back to the login page if not
headers:
Location:
schema:
type: string
example: /
Set-Cookie:
schema:
type: string
example: 'oidc-state=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT'
/user:
get:
summary: Get all users
Expand Down
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
"formik": "2.2.9",
"gravatar-url": "3.1.0",
"intl": "1.2.5",
"jwt-decode": "^3.1.2",
"lodash": "4.17.21",
"next": "12.3.4",
"node-cache": "5.1.2",
Expand Down
129 changes: 129 additions & 0 deletions server/interfaces/api/oidcInterfaces.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
/**
* @internal
*/
export type Mandatory<T, K extends keyof T> = Required<Pick<T, K>> & Omit<T, K>;

/**
* Standard OpenID Connect address claim.
* The Address Claim represents a physical mailing address.
*
* @public
* @see https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim
*/
export interface OidcAddressClaim {
/** Full mailing address, formatted for display or use on a mailing label. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair ("\\r\\n") or as a single line feed character ("\\n"). */
formatted?: string;
/** Full street address component, which MAY include house number, street name, Post Office Box, and multi-line extended street address information. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair ("\\r\\n") or as a single line feed character ("\\n"). */
street_address?: string;
/** City or locality component. */
locality?: string;
/** State, province, prefecture, or region component. */
region?: string;
/** Zip code or postal code component. */
postal_code?: string;
/** Country name component. */
country?: string;
}

/**
* Standard OpenID Connect claims.
* They can be requested to be returned either in the UserInfo Response or in the ID Token.
*
* @public
* @see https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
*/
export interface OidcStandardClaims {
/** Subject - Identifier for the End-User at the Issuer. */
sub?: string;
/** End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences. */
name?: string;
/** Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. */
given_name?: string;
/** Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters. */
family_name?: string;
/** Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. */
middle_name?: string;
/** Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael. */
nickname?: string;
/** Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as \@, /, or whitespace. */
preferred_username?: string;
/** URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User. */
profile?: string;
/** URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User. */
picture?: string;
/** URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with. */
website?: string;
/** End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 addr-spec syntax. */
email?: string;
/** True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. */
email_verified?: boolean;
/** End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable. */
gender?: string;
/** End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates. */
birthdate?: string;
/** String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles. */
zoneinfo?: string;
/** End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; */
locale?: string;
/** End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678. */
phone_number?: string;
/** True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format. */
phone_number_verified?: boolean;
/** End-User's preferred postal address. The value of the address member is a JSON [RFC4627] structure containing some or all of the members defined in Section 5.1.1. */
address?: OidcAddressClaim;
/** Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. */
updated_at?: number;
}

/**
* Standard JWT claims.
*
* @public
* @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
*/
export interface JwtClaims {
[claim: string]: unknown;

/** The "iss" (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. The "iss" value is a case-sensitive string containing a StringOrURI value. */
iss?: string;
/** The "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific. The "sub" value is a case-sensitive string containing a StringOrURI value. */
sub?: string;
/** The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case-sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. */
aud?: string | string[];
/** The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. */
exp?: number;
/** The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. */
nbf?: number;
/** The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. */
iat?: number;
/** The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case-sensitive string. */
jti?: string;
}

/**
* Standard ID Token claims.
*
* @public
* @see https://openid.net/specs/openid-connect-core-1_0.html#IDToken
*/
export interface IdTokenClaims
extends Mandatory<OidcStandardClaims, 'sub'>,
Mandatory<JwtClaims, 'iss' | 'sub' | 'aud' | 'exp' | 'iat'> {
[claim: string]: unknown;

/** Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. (The auth_time Claim semantically corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time response parameter.) */
auth_time?: number;
/** String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string. */
nonce?: string;
/** Authentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate. Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.) An absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be used as the acr value; registered names MUST NOT be used with a different meaning than that which is registered. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The acr value is a case sensitive string. */
acr?: string;
/** Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The amr value is an array of case sensitive strings. */
amr?: unknown;
/** Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value. */
azp?: string;
/**
* Session ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different sid values are used to identify distinct sessions at an OP. The sid value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier.
* @see https://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout
* */
sid?: string;
}
3 changes: 3 additions & 0 deletions server/interfaces/api/settingsInterfaces.ts
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ export interface PublicSettingsResponse {
applicationUrl: string;
hideAvailable: boolean;
localLogin: boolean;
mediaServerLogin: boolean;
oidcLogin: boolean;
oidcName: string;
movie4kEnabled: boolean;
series4kEnabled: boolean;
region: string;
Expand Down
Loading