Allow to skip login page if a single oidc provider is configured

2025-06-22 02:18:26 +00:00 · 2022-07-08 17:09:56 +02:00
parent 275901267d
commit 3fc72cedac
12 changed files with 132 additions and 13 deletions
--- a/modules/restserver/src/main/resources/reference.conf
+++ b/modules/restserver/src/main/resources/reference.conf
@ -126,6 +126,10 @@ docspell.server {
  # response from the authentication provider is validated using this
  # key.
  #
+  # If a `logout-url` is provided, it will be used to finally redirect
+  # the browser to this url that should logout the user from Docspell
+  # at the provider.
+  #
  # After successful authentication, docspell needs to create the
  # account. For this a username and collective name is required. The
  # account name is defined by the `user-key` and `collective-key`
@ -184,6 +188,7 @@ docspell.server {
          token-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/token",
          #User URL is not used when signature key is set.
          #user-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/userinfo",
+          logout-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/logout"
          sign-key = "b64:anVzdC1hLXRlc3Q=",
          sig-algo = "RS512"
        },
@ -231,6 +236,11 @@ docspell.server {
      }
    ]

+  # When exactly one OIDC/OAuth provider is configured, then the weapp
+  # automatically redirects to its authentication page skipping the
+  # docspell login page.
+  oidc-auto-redirect = true
+
  # This endpoint allows to upload files to any collective. The
  # intention is that local software integrates with docspell more
  # easily. Therefore the endpoint is not protected by the usual
--- a/modules/restserver/src/main/scala/docspell/restserver/Config.scala
+++ b/modules/restserver/src/main/scala/docspell/restserver/Config.scala
@ -37,11 +37,15 @@ case class Config(
    fullTextSearch: Config.FullTextSearch,
    adminEndpoint: Config.AdminEndpoint,
    openid: List[OpenIdConfig],
-    downloadAll: DownloadAllCfg
+    downloadAll: DownloadAllCfg,
+    oidcAutoRedirect: Boolean
 ) {
  def openIdEnabled: Boolean =
    openid.exists(_.enabled)

+  def openIdSingleEnabled: Boolean =
+    openid.count(_.enabled) == 1
+
  def pubSubConfig(headerValue: Ident): PubSubConfig =
    PubSubConfig(
      appId,
--- a/modules/restserver/src/main/scala/docspell/restserver/webapp/Flags.scala
+++ b/modules/restserver/src/main/scala/docspell/restserver/webapp/Flags.scala
@ -30,7 +30,8 @@ case class Flags(
    downloadAllMaxSize: ByteSize,
    uiVersion: Int,
    openIdAuth: List[Flags.OpenIdAuth],
-    addonsEnabled: Boolean
+    addonsEnabled: Boolean,
+    oidcAutoRedirect: Boolean
 )

 object Flags {
@ -48,11 +49,18 @@ object Flags {
      cfg.downloadAll.maxFiles,
      cfg.downloadAll.maxSize,
      uiVersion,
-      cfg.openid.filter(_.enabled).map(c => OpenIdAuth(c.provider.providerId, c.display)),
-      cfg.backend.addons.enabled
+      cfg.openid
+        .filter(_.enabled)
+        .map(c => OpenIdAuth(c.provider.providerId, c.display, c.provider.logoutUrl)),
+      cfg.backend.addons.enabled,
+      cfg.oidcAutoRedirect && cfg.openIdSingleEnabled
    )

-  final case class OpenIdAuth(provider: Ident, name: String)
+  final case class OpenIdAuth(
+      provider: Ident,
+      name: String,
+      logoutUrl: Option[LenientUri]
+  )

  object OpenIdAuth {
    implicit val jsonDecoder: Decoder[OpenIdAuth] =