mirror/shelfmark
1
0
Fork 0
mirror of https://github.com/calibrain/shelfmark.git synced 2026-06-11 23:04:41 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
v1.3.0
shelfmark/docs/oidc.md
Alex 9b8402c9a7 Add DISABLE_LOCAL_AUTH env variable (#962) 
Adds a new env var to disable local auth entirely when using OIDC
authentication

Fixes #922 #834
2026-05-08 22:11:14 +01:00

2.6 KiB
Raw Permalink Blame History

OpenID Connect (OIDC) Authentication

Callback URL

https://<your-shelfmark-domain>/api/auth/oidc/callback

With a subpath (URL_BASE=/shelfmark/):

https://<your-shelfmark-domain>/shelfmark/api/auth/oidc/callback

The callback URL is constructed from the incoming request, so your reverse proxy must forward X-Forwarded-Proto and X-Forwarded-Host correctly. PKCE (S256) is used automatically.

Settings

Configure in Settings → Security → Authentication Method → OIDC.

Setting Description Default
Discovery URL /.well-known/openid-configuration endpoint
Client ID OAuth2 client ID
Client Secret OAuth2 client secret
Scopes Scopes to request. The group claim is added automatically when admin group authorization is enabled openid email profile
Group Claim Name Claim containing user groups groups
Admin Group Name Group granted admin access. Leave empty for database-only roles
Use Admin Group for Authorization Toggle group-based admin detection true
Auto-Provision Users Create accounts on first login true
Login Button Label Custom text for the sign-in button

Use Test Connection to verify discovery and client configuration before attempting login.

Environment Variables

These optional environment variables control login page behavior when OIDC is enabled.

Variable Description Default
HIDE_LOCAL_AUTH Hide the username/password login option, so only the OIDC button is shown false
DISABLE_LOCAL_AUTH Disable username/password login and remove the local-admin prerequisite for OIDC. Implies HIDE_LOCAL_AUTH; with AUTH_METHOD=builtin, everyone is locked out until auth env vars are changed. false
OIDC_AUTO_REDIRECT Automatically redirect to the OIDC provider instead of showing the login page false

If DISABLE_LOCAL_AUTH and OIDC_AUTO_REDIRECT are both enabled, users are redirected straight to the OIDC provider. On failure they return to the login page with an error message but no password fallback.

Troubleshooting

  • Issuer validation failed — The issuer in the token doesn't match the discovery document. Check your provider's external URL / issuer configuration.
  • Callback URL mismatch — Reverse proxy isn't forwarding X-Forwarded-Proto or X-Forwarded-Host, so the constructed callback URL doesn't match what's registered in the provider.
  • Account not found — Auto-provision is disabled and the user hasn't been pre-created by an admin.
Reference in New Issue View Git Blame Copy Permalink