diff --git a/modules/oidc/src/main/scala/docspell/oidc/ProviderConfig.scala b/modules/oidc/src/main/scala/docspell/oidc/ProviderConfig.scala index 6bc89b09..35115104 100644 --- a/modules/oidc/src/main/scala/docspell/oidc/ProviderConfig.scala +++ b/modules/oidc/src/main/scala/docspell/oidc/ProviderConfig.scala @@ -18,6 +18,7 @@ final case class ProviderConfig( authorizeUrl: LenientUri, tokenUrl: LenientUri, userUrl: Option[LenientUri], + logoutUrl: Option[LenientUri], signKey: ByteVector, sigAlgo: SignatureAlgo ) @@ -33,6 +34,7 @@ object ProviderConfig { LenientUri.unsafe("https://github.com/login/oauth/authorize"), LenientUri.unsafe("https://github.com/login/oauth/access_token"), Some(LenientUri.unsafe("https://api.github.com/user")), + None, ByteVector.empty, SignatureAlgo.RS256 ) diff --git a/modules/restserver/src/main/resources/reference.conf b/modules/restserver/src/main/resources/reference.conf index a6e8375c..25896f48 100644 --- a/modules/restserver/src/main/resources/reference.conf +++ b/modules/restserver/src/main/resources/reference.conf @@ -126,6 +126,10 @@ docspell.server { # response from the authentication provider is validated using this # key. # + # If a `logout-url` is provided, it will be used to finally redirect + # the browser to this url that should logout the user from Docspell + # at the provider. + # # After successful authentication, docspell needs to create the # account. For this a username and collective name is required. The # account name is defined by the `user-key` and `collective-key` @@ -184,6 +188,7 @@ docspell.server { token-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/token", #User URL is not used when signature key is set. #user-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/userinfo", + logout-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/logout" sign-key = "b64:anVzdC1hLXRlc3Q=", sig-algo = "RS512" }, @@ -231,6 +236,11 @@ docspell.server { } ] + # When exactly one OIDC/OAuth provider is configured, then the weapp + # automatically redirects to its authentication page skipping the + # docspell login page. + oidc-auto-redirect = true + # This endpoint allows to upload files to any collective. The # intention is that local software integrates with docspell more # easily. Therefore the endpoint is not protected by the usual diff --git a/modules/restserver/src/main/scala/docspell/restserver/Config.scala b/modules/restserver/src/main/scala/docspell/restserver/Config.scala index 2899357d..799acf9b 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/Config.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/Config.scala @@ -37,11 +37,15 @@ case class Config( fullTextSearch: Config.FullTextSearch, adminEndpoint: Config.AdminEndpoint, openid: List[OpenIdConfig], - downloadAll: DownloadAllCfg + downloadAll: DownloadAllCfg, + oidcAutoRedirect: Boolean ) { def openIdEnabled: Boolean = openid.exists(_.enabled) + def openIdSingleEnabled: Boolean = + openid.count(_.enabled) == 1 + def pubSubConfig(headerValue: Ident): PubSubConfig = PubSubConfig( appId, diff --git a/modules/restserver/src/main/scala/docspell/restserver/webapp/Flags.scala b/modules/restserver/src/main/scala/docspell/restserver/webapp/Flags.scala index 5faf9f76..4f063dc0 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/webapp/Flags.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/webapp/Flags.scala @@ -30,7 +30,8 @@ case class Flags( downloadAllMaxSize: ByteSize, uiVersion: Int, openIdAuth: List[Flags.OpenIdAuth], - addonsEnabled: Boolean + addonsEnabled: Boolean, + oidcAutoRedirect: Boolean ) object Flags { @@ -48,11 +49,18 @@ object Flags { cfg.downloadAll.maxFiles, cfg.downloadAll.maxSize, uiVersion, - cfg.openid.filter(_.enabled).map(c => OpenIdAuth(c.provider.providerId, c.display)), - cfg.backend.addons.enabled + cfg.openid + .filter(_.enabled) + .map(c => OpenIdAuth(c.provider.providerId, c.display, c.provider.logoutUrl)), + cfg.backend.addons.enabled, + cfg.oidcAutoRedirect && cfg.openIdSingleEnabled ) - final case class OpenIdAuth(provider: Ident, name: String) + final case class OpenIdAuth( + provider: Ident, + name: String, + logoutUrl: Option[LenientUri] + ) object OpenIdAuth { implicit val jsonDecoder: Decoder[OpenIdAuth] = diff --git a/modules/webapp/src/main/elm/App/Update.elm b/modules/webapp/src/main/elm/App/Update.elm index 9ca103ed..fc68b26f 100644 --- a/modules/webapp/src/main/elm/App/Update.elm +++ b/modules/webapp/src/main/elm/App/Update.elm @@ -183,8 +183,30 @@ updateWithSub msg model = ) LogoutResp _ -> + let + emptyLoginData = + Page.emptyLoginData + + -- if oidcAutoredirect=true, then on logout either + -- goto the configured logout url or set openid=3 so + -- that the login page doesn't again redirect to the + -- oidc provider which will result in being logged in + -- again. + redirect = + case Data.Flags.oidcAutoRedirect model.flags of + Just provider -> + case provider.logoutUrl of + Just url -> + Nav.load url + + Nothing -> + Page.goto (LoginPage { emptyLoginData | openid = 3 }) + + Nothing -> + Page.goto (LoginPage emptyLoginData) + in ( { model | loginModel = Page.Login.Data.emptyModel } - , Page.goto (LoginPage Page.emptyLoginData) + , redirect , Sub.none ) @@ -677,8 +699,17 @@ initPage model_ page = ] model - LoginPage _ -> - noop + LoginPage data -> + if data.openid == 0 && model.flags.account == Nothing then + case Data.Flags.oidcAutoRedirect model.flags of + Just first -> + ( model, Nav.load (Api.openIdAuthLink model.flags first.provider), Sub.none ) + + _ -> + noop + + else + noop ManageDataPage -> noop diff --git a/modules/webapp/src/main/elm/Data/Flags.elm b/modules/webapp/src/main/elm/Data/Flags.elm index 614b452a..9a8e116c 100644 --- a/modules/webapp/src/main/elm/Data/Flags.elm +++ b/modules/webapp/src/main/elm/Data/Flags.elm @@ -12,6 +12,7 @@ module Data.Flags exposing , getAccount , getToken , isAuthenticated + , oidcAutoRedirect , withAccount , withoutAccount ) @@ -22,6 +23,7 @@ import Api.Model.AuthResult exposing (AuthResult) type alias OpenIdAuth = { provider : String , name : String + , logoutUrl : Maybe String } @@ -39,6 +41,7 @@ type alias Config = , downloadAllMaxSize : Int , openIdAuth : List OpenIdAuth , addonsEnabled : Bool + , oidcAutoRedirect : Bool } @@ -50,6 +53,20 @@ type alias Flags = } +oidcAutoRedirect : Flags -> Maybe OpenIdAuth +oidcAutoRedirect flags = + if flags.config.oidcAutoRedirect then + case flags.config.openIdAuth of + first :: [] -> + Just first + + _ -> + Nothing + + else + Nothing + + isAuthenticated : Flags -> Bool isAuthenticated flags = getAccount flags /= Nothing diff --git a/modules/webapp/src/main/elm/Messages/Page/Login.elm b/modules/webapp/src/main/elm/Messages/Page/Login.elm index 54d6948b..4e5579d6 100644 --- a/modules/webapp/src/main/elm/Messages/Page/Login.elm +++ b/modules/webapp/src/main/elm/Messages/Page/Login.elm @@ -31,6 +31,7 @@ type alias Texts = , signupLink : String , otpCode : String , or : String + , oidcLogoutPending : String } @@ -50,6 +51,7 @@ gb = , signupLink = "Sign up!" , otpCode = "Authentication code" , or = "Or" + , oidcLogoutPending = "You have been logged out from Docspell, but you may still be logged in at your authentication provider! Make sure to logout there as well, or login again by clicking the link below." } @@ -69,9 +71,14 @@ de = , signupLink = "Hier registrieren!" , otpCode = "Authentifizierungscode" , or = "Oder" + , oidcLogoutPending = "Du wurdest von Docspell abgemeldet, aber evtl. bist du immernoch bei deinem Authentifizierungs-Provider angemeldet! Melde dich auch dort ab, oder logge dich wieder zu Docspell ein indem du den Link unten klickst." } + +--- TODO french translation + + fr : Texts fr = { httpError = Messages.Comp.HttpError.fr @@ -88,4 +95,5 @@ fr = , signupLink = "S'incrire!" , otpCode = "Code d'authentification" , or = "Ou" + , oidcLogoutPending = "You have been logged out from Docspell, but you may still be logged in at your authentication provider! Make sure to logout there as well, or login again by clicking the link below." } diff --git a/modules/webapp/src/main/elm/Page.elm b/modules/webapp/src/main/elm/Page.elm index 69adaa4a..6f51ac08 100644 --- a/modules/webapp/src/main/elm/Page.elm +++ b/modules/webapp/src/main/elm/Page.elm @@ -291,13 +291,13 @@ pageToString page = LoginPage data -> case data.referrer of Just (LoginPage _) -> - "/app/login" + "/app/login?openid=" ++ String.fromInt data.openid Just p -> - "/app/login?r=" ++ pageToString p + "/app/login?r=" ++ pageToString p ++ "&openid=" ++ String.fromInt data.openid Nothing -> - "/app/login" + "/app/login?openid=" ++ String.fromInt data.openid ManageDataPage -> "/app/managedata" diff --git a/modules/webapp/src/main/elm/Page/Login/Data.elm b/modules/webapp/src/main/elm/Page/Login/Data.elm index 9e76d983..fa092a4f 100644 --- a/modules/webapp/src/main/elm/Page/Login/Data.elm +++ b/modules/webapp/src/main/elm/Page/Login/Data.elm @@ -36,6 +36,7 @@ type FormState | AuthFailed AuthResult | HttpError Http.Error | FormInitial + | OidcLogoutPending type AuthStep diff --git a/modules/webapp/src/main/elm/Page/Login/Update.elm b/modules/webapp/src/main/elm/Page/Login/Update.elm index 6e2d013c..55b54438 100644 --- a/modules/webapp/src/main/elm/Page/Login/Update.elm +++ b/modules/webapp/src/main/elm/Page/Login/Update.elm @@ -85,13 +85,23 @@ update loginData flags msg model = session = Maybe.withDefault "" loginData.session in - -- A value of 2 indicates that TOTP is required if loginData.openid == 2 then + -- A value of 2 indicates that TOTP is required ( { model | formState = FormInitial, authStep = StepOtp session, password = "" } , Cmd.none , Nothing ) + else if loginData.openid == 3 then + -- A valuo of 3 indicates a logout when a single + -- openid provider is configured with + -- oidcAutoredirect=true that doesn't have a logout + -- url configured + ( { model | password = "", formState = OidcLogoutPending } + , Ports.removeAccount () + , Just empty + ) + else ( { model | password = "", formState = HttpError err } , Ports.removeAccount () diff --git a/modules/webapp/src/main/elm/Page/Login/View2.elm b/modules/webapp/src/main/elm/Page/Login/View2.elm index 51f1143f..4cbb3161 100644 --- a/modules/webapp/src/main/elm/Page/Login/View2.elm +++ b/modules/webapp/src/main/elm/Page/Login/View2.elm @@ -95,7 +95,7 @@ openIdLinks texts flags = div [ class "mt-3" ] [ B.horizontalDivider { label = texts.or - , topCss = "w-2/3 mb-4 hidden md:inline-flex w-full" + , topCss = "w-full mb-4 hidden md:inline-flex w-full" , labelCss = "px-4 bg-gray-200 bg-opacity-50" , lineColor = "bg-gray-300 dark:bg-slate-600" } @@ -267,5 +267,10 @@ resultMessage texts model = [ text (texts.httpError err) ] + OidcLogoutPending -> + div [ class ("my-2 max-w-xs " ++ S.warnMessage) ] + [ text texts.oidcLogoutPending + ] + FormInitial -> span [ class "hidden" ] [] diff --git a/website/site/content/docs/configure/authentication.md b/website/site/content/docs/configure/authentication.md index 5ebcaa05..0c579377 100644 --- a/website/site/content/docs/configure/authentication.md +++ b/website/site/content/docs/configure/authentication.md @@ -62,6 +62,7 @@ provider = { token-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/token", #User URL is not used when signature key is set. #user-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/userinfo", + #logout-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/logout?redirect_uri=…" sign-key = "b64:MII…ZYL09vAwLn8EAcSkCAwEAAQ==", sig-algo = "RS512" } @@ -78,6 +79,13 @@ data. If not, then docspell performs another request to the `user-url`, which must be the user-info endpoint, to obtain the required user data. +The `logout-url` is optional. If specified the browser will be +redirected to this url when a user logsout from Docspell. It should +then logout the user from the authentication provider as well. If not +given, the user is logged out from Docspell, but may still hold a SSO +session. In this case a warning is rendered on the login screen. +*Note that this currently only applies if `oidc-auto-redirect=true`.* + If the data is taken from the token directly and not via a request to the user-info endpoint, then the token must be validated using the given `sign-key` and `sig-algo`. These two values are then required to @@ -122,3 +130,18 @@ example it would be `lookup:preferred_username`. If you find that these methods do not suffice for your case, please open an issue. + +### Auto-redirect to the OIDC provider + +If there is only one single configured openid provider and this +setting: + +``` +oidc-auto-redirect = true +``` + +Then the webui will redirect immediately to the login page of the oidc +provider, skipping the login page for Docspell. + +For logging out, you can specify a `logout-url` for the provider which +is used to redirect the browser after logging out from Docspell.