viehlieb
/
api
forked from vikunja/vikunja
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

adding authentik setup to openid-examples, some work in documentation

This commit is contained in:
viehlieb 2024-02-23 12:39:03 +01:00
parent 5d5ea971c7
commit 03fd257138
4 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config.yml.sample
View File

@ -326,7 +326,7 @@ auth:
# The client secret used to authenticate Vikunja at the OpenID Connect provider.
clientsecret:
# The scope necessary to use oidc.
# If you want to use the Feature to create and assign to vikunja teams via oidc, you have to add the custom "vikunja_scope" and check [openid.md](https://vikunja.io/docs/openid/)
# If you want to use the Feature to create and assign to vikunja teams via oidc, you have to add the custom "vikunja_scope" and check [openid.md](https://vikunja.io/docs/openid/).
# e.g. scope: openid email profile vikunja_scope
scope: openid email profile

8
docs/content/doc/setup/config.md
View File

@ -94,7 +94,7 @@ Environment path: `VIKUNJA_SERVICE_JWTTTL`
### jwtttllong
The duration of the "remember me" time in seconds. When the login request is made with
The duration of the "remember me" time in seconds. When the login request is made with
the long param set, the token returned will be valid for this period.
The default is 2592000 seconds (30 Days).
@ -289,7 +289,7 @@ Environment path: `VIKUNJA_SERVICE_ENABLEEMAILREMINDERS`
### enableuserdeletion
If true, will allow users to request the complete deletion of their account. When using external authentication methods
If true, will allow users to request the complete deletion of their account. When using external authentication methods
it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
for user deletion.
@ -569,7 +569,7 @@ Environment path: `VIKUNJA_DATABASE_TLS`
Whether to enable the Typesense integration. If true, all tasks will be synced to the configured Typesense
instance and all search and filtering will run through Typesense instead of only through the database.
Typesense allows fast fulltext search including fuzzy matching support. It may return different results than
Typesense allows fast fulltext search including fuzzy matching support. It may return different results than
what you'd get with a database-only search.
Default: `false`
@ -1024,7 +1024,7 @@ Environment path: `VIKUNJA_RATELIMIT_STORE`
### noauthlimit
The number of requests a user can make from the same IP to all unauthenticated routes (login, register,
The number of requests a user can make from the same IP to all unauthenticated routes (login, register,
password confirmation, email verification, password reset request) per minute. This limit cannot be disabled.
You should only change this if you know what you're doing.

2
docs/content/doc/setup/openid-examples.md
View File

@ -67,7 +67,7 @@ Google config:
Note that there currently seems to be no way to stop creation of new users, even when `enableregistration` is `false` in the configuration. This means that this approach works well only with an "Internal Organization" app for Google Workspace, which limits the allowed users to organizational accounts only. External / public applications will potentially allow every Google user to register.
## Keycloak
## Keycloak
Vikunja Config:
```yaml

8
docs/content/doc/setup/openid.md
View File

@ -8,13 +8,13 @@ To learn more about how to configure this, [check out the examples]({{< ref "ope
## Automatically assign users to teams
Vikunja is capable of automatically adding users to a team based on a group defined in the oidc provider.
If configured, Vikunja will sync teams, automatically create new ones and make sure the members are part of the configured teams.
Vikunja is capable of automatically adding users to a team based on a group defined in the oidc provider.
If configured, Vikunja will sync teams, automatically create new ones and make sure the members are part of the configured teams.
Teams which exist only because they were created from oidc attributes are not editable in Vikunja.
To distinguish between teams created in Vikunja and teams generated automatically via oidc, generated teams have an `oidcID` assigned internally.
You need to make sure the OpenID provider has the `vikunja_groups` scope via your custom scope since this is the key Vikunja is looking for to start the procedure.
You need to make sure the OpenID provider has the `vikunja_groups` scope via your custom scope since this is the key, which is looked up by Vikunja to start the procedure.
Additionally, make sure to deliver an `oidcID` and a `name` attribute in the oidc token.
@ -26,7 +26,7 @@ To use Authentik's group assignment feature, follow these steps:
1. Edit [your config]({{< ref "config.md">}}) to include the following scopes: `openid profile email vikunja_scope`
2. Open `<your authentik url>/if/admin/#/core/property-mappings`
3. Create a new mapping called `vikunja_scope`. There is a field to enter python expressions that will be delivered with the oidc token.
3. Create a new property mapping called `vikunja_scope` as scope mapping. There is a field `expression` to enter python expressions that will be delivered with the oidc token.
4. Write a small script like the following to add group information to `vikunja_scope`:
```python