Merge pull request #1640 from eikek/redirect-oidc

Allow to skip login page if a single oidc provider is configured
2025-04-04 10:29:34 +00:00 · 2022-07-08 15:26:09 +00:00 · 2022-07-08 15:26:09 +00:00 · 3d4c9370e0
commit 3d4c9370e0
parent 34571556e7 3fc72cedac
12 changed files with 132 additions and 13 deletions
--- a/modules/oidc/src/main/scala/docspell/oidc/ProviderConfig.scala
+++ b/modules/oidc/src/main/scala/docspell/oidc/ProviderConfig.scala
@ -18,6 +18,7 @@ final case class ProviderConfig(
    authorizeUrl: LenientUri,
    tokenUrl: LenientUri,
    userUrl: Option[LenientUri],
+    logoutUrl: Option[LenientUri],
    signKey: ByteVector,
    sigAlgo: SignatureAlgo
 )
@ -33,6 +34,7 @@ object ProviderConfig {
      LenientUri.unsafe("https://github.com/login/oauth/authorize"),
      LenientUri.unsafe("https://github.com/login/oauth/access_token"),
      Some(LenientUri.unsafe("https://api.github.com/user")),
+      None,
      ByteVector.empty,
      SignatureAlgo.RS256
    )
--- a/modules/restserver/src/main/resources/reference.conf
+++ b/modules/restserver/src/main/resources/reference.conf
@ -126,6 +126,10 @@ docspell.server {
  # response from the authentication provider is validated using this
  # key.
  #
+  # If a `logout-url` is provided, it will be used to finally redirect
+  # the browser to this url that should logout the user from Docspell
+  # at the provider.
+  #
  # After successful authentication, docspell needs to create the
  # account. For this a username and collective name is required. The
  # account name is defined by the `user-key` and `collective-key`
@ -184,6 +188,7 @@ docspell.server {
          token-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/token",
          #User URL is not used when signature key is set.
          #user-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/userinfo",
+          logout-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/logout"
          sign-key = "b64:anVzdC1hLXRlc3Q=",
          sig-algo = "RS512"
        },
@ -231,6 +236,11 @@ docspell.server {
      }
    ]

+  # When exactly one OIDC/OAuth provider is configured, then the weapp
+  # automatically redirects to its authentication page skipping the
+  # docspell login page.
+  oidc-auto-redirect = true
+
  # This endpoint allows to upload files to any collective. The
  # intention is that local software integrates with docspell more
  # easily. Therefore the endpoint is not protected by the usual
--- a/modules/restserver/src/main/scala/docspell/restserver/Config.scala
+++ b/modules/restserver/src/main/scala/docspell/restserver/Config.scala
@ -37,11 +37,15 @@ case class Config(
    fullTextSearch: Config.FullTextSearch,
    adminEndpoint: Config.AdminEndpoint,
    openid: List[OpenIdConfig],
-    downloadAll: DownloadAllCfg
+    downloadAll: DownloadAllCfg,
+    oidcAutoRedirect: Boolean
 ) {
  def openIdEnabled: Boolean =
    openid.exists(_.enabled)

+  def openIdSingleEnabled: Boolean =
+    openid.count(_.enabled) == 1
+
  def pubSubConfig(headerValue: Ident): PubSubConfig =
    PubSubConfig(
      appId,
--- a/modules/restserver/src/main/scala/docspell/restserver/webapp/Flags.scala
+++ b/modules/restserver/src/main/scala/docspell/restserver/webapp/Flags.scala
@ -30,7 +30,8 @@ case class Flags(
    downloadAllMaxSize: ByteSize,
    uiVersion: Int,
    openIdAuth: List[Flags.OpenIdAuth],
-    addonsEnabled: Boolean
+    addonsEnabled: Boolean,
+    oidcAutoRedirect: Boolean
 )

 object Flags {
@ -48,11 +49,18 @@ object Flags {
      cfg.downloadAll.maxFiles,
      cfg.downloadAll.maxSize,
      uiVersion,
-      cfg.openid.filter(_.enabled).map(c => OpenIdAuth(c.provider.providerId, c.display)),
-      cfg.backend.addons.enabled
+      cfg.openid
+        .filter(_.enabled)
+        .map(c => OpenIdAuth(c.provider.providerId, c.display, c.provider.logoutUrl)),
+      cfg.backend.addons.enabled,
+      cfg.oidcAutoRedirect && cfg.openIdSingleEnabled
    )

-  final case class OpenIdAuth(provider: Ident, name: String)
+  final case class OpenIdAuth(
+      provider: Ident,
+      name: String,
+      logoutUrl: Option[LenientUri]
+  )

  object OpenIdAuth {
    implicit val jsonDecoder: Decoder[OpenIdAuth] =
--- a/modules/webapp/src/main/elm/App/Update.elm
+++ b/modules/webapp/src/main/elm/App/Update.elm
@ -183,8 +183,30 @@ updateWithSub msg model =
            )

        LogoutResp _ ->
+            let
+                emptyLoginData =
+                    Page.emptyLoginData
+
+                -- if oidcAutoredirect=true, then on logout either
+                -- goto the configured logout url or set openid=3 so
+                -- that the login page doesn't again redirect to the
+                -- oidc provider which will result in being logged in
+                -- again.
+                redirect =
+                    case Data.Flags.oidcAutoRedirect model.flags of
+                        Just provider ->
+                            case provider.logoutUrl of
+                                Just url ->
+                                    Nav.load url
+
+                                Nothing ->
+                                    Page.goto (LoginPage { emptyLoginData | openid = 3 })
+
+                        Nothing ->
+                            Page.goto (LoginPage emptyLoginData)
+            in
            ( { model | loginModel = Page.Login.Data.emptyModel }
-            , Page.goto (LoginPage Page.emptyLoginData)
+            , redirect
            , Sub.none
            )

@ -677,8 +699,17 @@ initPage model_ page =
                ]
                model

-        LoginPage _ ->
-            noop
+        LoginPage data ->
+            if data.openid == 0 && model.flags.account == Nothing then
+                case Data.Flags.oidcAutoRedirect model.flags of
+                    Just first ->
+                        ( model, Nav.load (Api.openIdAuthLink model.flags first.provider), Sub.none )
+
+                    _ ->
+                        noop
+
+            else
+                noop

        ManageDataPage ->
            noop
--- a/modules/webapp/src/main/elm/Data/Flags.elm
+++ b/modules/webapp/src/main/elm/Data/Flags.elm
@ -12,6 +12,7 @@ module Data.Flags exposing
    , getAccount
    , getToken
    , isAuthenticated
+    , oidcAutoRedirect
    , withAccount
    , withoutAccount
    )
@ -22,6 +23,7 @@ import Api.Model.AuthResult exposing (AuthResult)
 type alias OpenIdAuth =
    { provider : String
    , name : String
+    , logoutUrl : Maybe String
    }


@ -39,6 +41,7 @@ type alias Config =
    , downloadAllMaxSize : Int
    , openIdAuth : List OpenIdAuth
    , addonsEnabled : Bool
+    , oidcAutoRedirect : Bool
    }


@ -50,6 +53,20 @@ type alias Flags =
    }


+oidcAutoRedirect : Flags -> Maybe OpenIdAuth
+oidcAutoRedirect flags =
+    if flags.config.oidcAutoRedirect then
+        case flags.config.openIdAuth of
+            first :: [] ->
+                Just first
+
+            _ ->
+                Nothing
+
+    else
+        Nothing
+
+
 isAuthenticated : Flags -> Bool
 isAuthenticated flags =
    getAccount flags /= Nothing
--- a/modules/webapp/src/main/elm/Messages/Page/Login.elm
+++ b/modules/webapp/src/main/elm/Messages/Page/Login.elm
@ -31,6 +31,7 @@ type alias Texts =
    , signupLink : String
    , otpCode : String
    , or : String
+    , oidcLogoutPending : String
    }


@ -50,6 +51,7 @@ gb =
    , signupLink = "Sign up!"
    , otpCode = "Authentication code"
    , or = "Or"
+    , oidcLogoutPending = "You have been logged out from Docspell, but you may still be logged in at your authentication provider! Make sure to logout there as well, or login again by clicking the link below."
    }


@ -69,9 +71,14 @@ de =
    , signupLink = "Hier registrieren!"
    , otpCode = "Authentifizierungscode"
    , or = "Oder"
+    , oidcLogoutPending = "Du wurdest von Docspell abgemeldet, aber evtl. bist du immernoch bei deinem Authentifizierungs-Provider angemeldet! Melde dich auch dort ab, oder logge dich wieder zu Docspell ein indem du den Link unten klickst."
    }


+
+--- TODO french translation
+
+
 fr : Texts
 fr =
    { httpError = Messages.Comp.HttpError.fr
@ -88,4 +95,5 @@ fr =
    , signupLink = "S'incrire!"
    , otpCode = "Code d'authentification"
    , or = "Ou"
+    , oidcLogoutPending = "You have been logged out from Docspell, but you may still be logged in at your authentication provider! Make sure to logout there as well, or login again by clicking the link below."
    }
--- a/modules/webapp/src/main/elm/Page.elm
+++ b/modules/webapp/src/main/elm/Page.elm
@ -291,13 +291,13 @@ pageToString page =
        LoginPage data ->
            case data.referrer of
                Just (LoginPage _) ->
-                    "/app/login"
+                    "/app/login?openid=" ++ String.fromInt data.openid

                Just p ->
-                    "/app/login?r=" ++ pageToString p
+                    "/app/login?r=" ++ pageToString p ++ "&openid=" ++ String.fromInt data.openid

                Nothing ->
-                    "/app/login"
+                    "/app/login?openid=" ++ String.fromInt data.openid

        ManageDataPage ->
            "/app/managedata"
--- a/modules/webapp/src/main/elm/Page/Login/Data.elm
+++ b/modules/webapp/src/main/elm/Page/Login/Data.elm
@ -36,6 +36,7 @@ type FormState
    | AuthFailed AuthResult
    | HttpError Http.Error
    | FormInitial
+    | OidcLogoutPending


 type AuthStep
--- a/modules/webapp/src/main/elm/Page/Login/Update.elm
+++ b/modules/webapp/src/main/elm/Page/Login/Update.elm
@ -85,13 +85,23 @@ update loginData flags msg model =
                session =
                    Maybe.withDefault "" loginData.session
            in
-            -- A value of 2 indicates that TOTP is required
            if loginData.openid == 2 then
+                -- A value of 2 indicates that TOTP is required
                ( { model | formState = FormInitial, authStep = StepOtp session, password = "" }
                , Cmd.none
                , Nothing
                )

+            else if loginData.openid == 3 then
+                -- A valuo of 3 indicates a logout when a single
+                -- openid provider is configured with
+                -- oidcAutoredirect=true that doesn't have a logout
+                -- url configured
+                ( { model | password = "", formState = OidcLogoutPending }
+                , Ports.removeAccount ()
+                , Just empty
+                )
+
            else
                ( { model | password = "", formState = HttpError err }
                , Ports.removeAccount ()
--- a/modules/webapp/src/main/elm/Page/Login/View2.elm
+++ b/modules/webapp/src/main/elm/Page/Login/View2.elm
@ -95,7 +95,7 @@ openIdLinks texts flags =
            div [ class "mt-3" ]
                [ B.horizontalDivider
                    { label = texts.or
-                    , topCss = "w-2/3 mb-4 hidden md:inline-flex w-full"
+                    , topCss = "w-full mb-4 hidden md:inline-flex w-full"
                    , labelCss = "px-4 bg-gray-200 bg-opacity-50"
                    , lineColor = "bg-gray-300 dark:bg-slate-600"
                    }
@ -267,5 +267,10 @@ resultMessage texts model =
                [ text (texts.httpError err)
                ]

+        OidcLogoutPending ->
+            div [ class ("my-2 max-w-xs " ++ S.warnMessage) ]
+                [ text texts.oidcLogoutPending
+                ]
+
        FormInitial ->
            span [ class "hidden" ] []
--- a/website/site/content/docs/configure/authentication.md
+++ b/website/site/content/docs/configure/authentication.md
@ -62,6 +62,7 @@ provider = {
  token-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/token",
  #User URL is not used when signature key is set.
  #user-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/userinfo",
+  #logout-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/logout?redirect_uri=…"
  sign-key = "b64:MII…ZYL09vAwLn8EAcSkCAwEAAQ==",
  sig-algo = "RS512"
 }
@ -78,6 +79,13 @@ data. If not, then docspell performs another request to the
 `user-url`, which must be the user-info endpoint, to obtain the
 required user data.

+The `logout-url` is optional. If specified the browser will be
+redirected to this url when a user logsout from Docspell. It should
+then logout the user from the authentication provider as well. If not
+given, the user is logged out from Docspell, but may still hold a SSO
+session. In this case a warning is rendered on the login screen.
+*Note that this currently only applies if `oidc-auto-redirect=true`.*
+
 If the data is taken from the token directly and not via a request to
 the user-info endpoint, then the token must be validated using the
 given `sign-key` and `sig-algo`. These two values are then required to
@ -122,3 +130,18 @@ example it would be `lookup:preferred_username`.

 If you find that these methods do not suffice for your case, please
 open an issue.
+
+### Auto-redirect to the OIDC provider
+
+If there is only one single configured openid provider and this
+setting:
+
+```
+oidc-auto-redirect = true
+```
+
+Then the webui will redirect immediately to the login page of the oidc
+provider, skipping the login page for Docspell.
+
+For logging out, you can specify a `logout-url` for the provider which
+is used to redirect the browser after logging out from Docspell.