mirror of
https://github.com/calibrain/shelfmark.git
synced 2026-04-19 21:39:17 -04:00
014fc38b48
- Added two env vars for OIDC login: - HIDE_LOCAL_AUTH - Remove the "password" option on login page when OIDC enabled - OIDC_AUTO_REDIRECT - Immediately launch OIDC provider page - Improved UX for initial OIDC setup, including creating a local admin user - Added callback URL label to OIDC setup page - Fix Qbittorrent save path bug
2.3 KiB
2.3 KiB
OpenID Connect (OIDC) Authentication
Callback URL
https://<your-shelfmark-domain>/api/auth/oidc/callback
With a subpath (URL_BASE=/shelfmark/):
https://<your-shelfmark-domain>/shelfmark/api/auth/oidc/callback
The callback URL is constructed from the incoming request, so your reverse proxy must forward X-Forwarded-Proto and X-Forwarded-Host correctly. PKCE (S256) is used automatically.
Settings
Configure in Settings → Security → Authentication Method → OIDC.
| Setting | Description | Default |
|---|---|---|
| Discovery URL | /.well-known/openid-configuration endpoint |
— |
| Client ID | OAuth2 client ID | — |
| Client Secret | OAuth2 client secret | — |
| Scopes | Scopes to request. The group claim is added automatically when admin group authorization is enabled | openid email profile |
| Group Claim Name | Claim containing user groups | groups |
| Admin Group Name | Group granted admin access. Leave empty for database-only roles | — |
| Use Admin Group for Authorization | Toggle group-based admin detection | true |
| Auto-Provision Users | Create accounts on first login | true |
| Login Button Label | Custom text for the sign-in button | — |
Use Test Connection to verify discovery and client configuration before attempting login.
Environment Variables
These optional environment variables control login page behavior when OIDC is enabled.
| Variable | Description | Default |
|---|---|---|
HIDE_LOCAL_AUTH |
Hide the username/password login option, so only the OIDC button is shown | false |
OIDC_AUTO_REDIRECT |
Automatically redirect to the OIDC provider instead of showing the login page | false |
If both are enabled, users are redirected straight to the OIDC provider. On failure they return to the login page with an error message but no password fallback.
Troubleshooting
- Issuer validation failed — The issuer in the token doesn't match the discovery document. Check your provider's external URL / issuer configuration.
- Callback URL mismatch — Reverse proxy isn't forwarding
X-Forwarded-ProtoorX-Forwarded-Host, so the constructed callback URL doesn't match what's registered in the provider. - Account not found — Auto-provision is disabled and the user hasn't been pre-created by an admin.