From 03fd257138234ef669b59f14228fca92d547b904 Mon Sep 17 00:00:00 2001 From: viehlieb Date: Fri, 23 Feb 2024 12:39:03 +0100 Subject: [PATCH] adding authentik setup to openid-examples, some work in documentation --- config.yml.sample | 2 +- docs/content/doc/setup/config.md | 8 ++++---- docs/content/doc/setup/openid-examples.md | 2 +- docs/content/doc/setup/openid.md | 8 ++++---- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/config.yml.sample b/config.yml.sample index f81eb0b03..ff20e1efe 100644 --- a/config.yml.sample +++ b/config.yml.sample @@ -326,7 +326,7 @@ auth: # The client secret used to authenticate Vikunja at the OpenID Connect provider. clientsecret: # The scope necessary to use oidc. - # If you want to use the Feature to create and assign to vikunja teams via oidc, you have to add the custom "vikunja_scope" and check [openid.md](https://vikunja.io/docs/openid/) + # If you want to use the Feature to create and assign to vikunja teams via oidc, you have to add the custom "vikunja_scope" and check [openid.md](https://vikunja.io/docs/openid/). # e.g. scope: openid email profile vikunja_scope scope: openid email profile diff --git a/docs/content/doc/setup/config.md b/docs/content/doc/setup/config.md index 0e00f8638..25e940785 100644 --- a/docs/content/doc/setup/config.md +++ b/docs/content/doc/setup/config.md @@ -94,7 +94,7 @@ Environment path: `VIKUNJA_SERVICE_JWTTTL` ### jwtttllong -The duration of the "remember me" time in seconds. When the login request is made with +The duration of the "remember me" time in seconds. When the login request is made with the long param set, the token returned will be valid for this period. The default is 2592000 seconds (30 Days). @@ -289,7 +289,7 @@ Environment path: `VIKUNJA_SERVICE_ENABLEEMAILREMINDERS` ### enableuserdeletion -If true, will allow users to request the complete deletion of their account. When using external authentication methods +If true, will allow users to request the complete deletion of their account. When using external authentication methods it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands for user deletion. @@ -569,7 +569,7 @@ Environment path: `VIKUNJA_DATABASE_TLS` Whether to enable the Typesense integration. If true, all tasks will be synced to the configured Typesense instance and all search and filtering will run through Typesense instead of only through the database. -Typesense allows fast fulltext search including fuzzy matching support. It may return different results than +Typesense allows fast fulltext search including fuzzy matching support. It may return different results than what you'd get with a database-only search. Default: `false` @@ -1024,7 +1024,7 @@ Environment path: `VIKUNJA_RATELIMIT_STORE` ### noauthlimit -The number of requests a user can make from the same IP to all unauthenticated routes (login, register, +The number of requests a user can make from the same IP to all unauthenticated routes (login, register, password confirmation, email verification, password reset request) per minute. This limit cannot be disabled. You should only change this if you know what you're doing. diff --git a/docs/content/doc/setup/openid-examples.md b/docs/content/doc/setup/openid-examples.md index 3f7d37ca6..dd3165b79 100644 --- a/docs/content/doc/setup/openid-examples.md +++ b/docs/content/doc/setup/openid-examples.md @@ -67,7 +67,7 @@ Google config: Note that there currently seems to be no way to stop creation of new users, even when `enableregistration` is `false` in the configuration. This means that this approach works well only with an "Internal Organization" app for Google Workspace, which limits the allowed users to organizational accounts only. External / public applications will potentially allow every Google user to register. -## Keycloak +## Keycloak Vikunja Config: ```yaml diff --git a/docs/content/doc/setup/openid.md b/docs/content/doc/setup/openid.md index e02047fa6..7e257996f 100644 --- a/docs/content/doc/setup/openid.md +++ b/docs/content/doc/setup/openid.md @@ -8,13 +8,13 @@ To learn more about how to configure this, [check out the examples]({{< ref "ope ## Automatically assign users to teams -Vikunja is capable of automatically adding users to a team based on a group defined in the oidc provider. -If configured, Vikunja will sync teams, automatically create new ones and make sure the members are part of the configured teams. +Vikunja is capable of automatically adding users to a team based on a group defined in the oidc provider. +If configured, Vikunja will sync teams, automatically create new ones and make sure the members are part of the configured teams. Teams which exist only because they were created from oidc attributes are not editable in Vikunja. To distinguish between teams created in Vikunja and teams generated automatically via oidc, generated teams have an `oidcID` assigned internally. -You need to make sure the OpenID provider has the `vikunja_groups` scope via your custom scope since this is the key Vikunja is looking for to start the procedure. +You need to make sure the OpenID provider has the `vikunja_groups` scope via your custom scope since this is the key, which is looked up by Vikunja to start the procedure. Additionally, make sure to deliver an `oidcID` and a `name` attribute in the oidc token. @@ -26,7 +26,7 @@ To use Authentik's group assignment feature, follow these steps: 1. Edit [your config]({{< ref "config.md">}}) to include the following scopes: `openid profile email vikunja_scope` 2. Open `/if/admin/#/core/property-mappings` -3. Create a new mapping called `vikunja_scope`. There is a field to enter python expressions that will be delivered with the oidc token. +3. Create a new property mapping called `vikunja_scope` as scope mapping. There is a field `expression` to enter python expressions that will be delivered with the oidc token. 4. Write a small script like the following to add group information to `vikunja_scope`: ```python