sjs/immich
1
0
Fork 0
mirror of https://github.com/samsonjs/immich.git synced 2026-04-27 15:07:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(server)!: oauth encryption algorithm setting (#6818)

Browse source 
* feat: add oauth signing algorithm setting

* chore: open api

* chore: change default to RS256

* feat: test and clean up

---------

Co-authored-by: Jason Rasmussen <jrasm91@gmail.com>
This commit is contained in:
Daniel Dietzler 2024-02-02 06:27:54 +01:00 committed by GitHub
parent 8a643e5e48
commit d3404f927c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
15 changed files with 174 additions and 126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docs/docs/administration/oauth.md
View file

@ -66,8 +66,10 @@ Once you have a new OAuth client application configured, Immich can be configure
| Client ID | string | (required) | Required. Client ID (from previous step) | | Client ID | string | (required) | Required. Client ID (from previous step) |
| Client Secret | string | (required) | Required. Client Secret (previous step) | | Client Secret | string | (required) | Required. Client Secret (previous step) |
| Scope | string | openid email profile | Full list of scopes to send with the request (space delimited) | | Scope | string | openid email profile | Full list of scopes to send with the request (space delimited) |
| Signing Algorithm | string | RS256 | The algorithm used to sign the id token (examples: RS256, HS256) |
| Button Text | string | Login with OAuth | Text for the OAuth button on the web | | Button Text | string | Login with OAuth | Text for the OAuth button on the web |
| Auto Register | boolean | true | When true, will automatically register a user the first time they sign in | | Auto Register | boolean | true | When true, will automatically register a user the first time they sign in |
| Storage Claim | string | preferred_username | Claim mapping for the user's storage label |
| [Auto Launch](#auto-launch) | boolean | false | When true, will skip the login page and automatically start the OAuth login process | | [Auto Launch](#auto-launch) | boolean | false | When true, will skip the login page and automatically start the OAuth login process |
| [Mobile Redirect URI Override](#mobile-redirect-uri) | URL | (empty) | Http(s) alternative mobile redirect URI | | [Mobile Redirect URI Override](#mobile-redirect-uri) | URL | (empty) | Http(s) alternative mobile redirect URI |

BIN
mobile/openapi/doc/SystemConfigOAuthDto.md generated
View file

Binary file not shown.

BIN
mobile/openapi/lib/model/system_config_o_auth_dto.dart generated
View file

Binary file not shown.

BIN
mobile/openapi/test/system_config_o_auth_dto_test.dart generated
View file

Binary file not shown.

4
open-api/immich-openapi-specs.json
View file

@ -9679,6 +9679,9 @@
"scope": { "scope": {
"type": "string" "type": "string"
}, },
"signingAlgorithm": {
"type": "string"
},
"storageLabelClaim": { "storageLabelClaim": {
"type": "string" "type": "string"
} }
@ -9694,6 +9697,7 @@
"mobileOverrideEnabled", "mobileOverrideEnabled",
"mobileRedirectUri", "mobileRedirectUri",
"scope", "scope",
"signingAlgorithm",
"storageLabelClaim" "storageLabelClaim"
], ],
"type": "object" "type": "object"

6
open-api/typescript-sdk/client/api.ts generated
View file

@ -4073,6 +4073,12 @@ export interface SystemConfigOAuthDto {
* @memberof SystemConfigOAuthDto * @memberof SystemConfigOAuthDto
*/ */
'scope': string; 'scope': string;
/**
*
* @type {string}
* @memberof SystemConfigOAuthDto
*/
'signingAlgorithm': string;
/** /**
* *
* @type {string} * @type {string}

2
server/src/domain/auth/auth.service.spec.ts
View file

@ -73,7 +73,7 @@ describe('AuthService', () => {
jest.spyOn(generators, 'state').mockReturnValue('state'); jest.spyOn(generators, 'state').mockReturnValue('state');
jest.spyOn(Issuer, 'discover').mockResolvedValue({ jest.spyOn(Issuer, 'discover').mockResolvedValue({
id_token_signing_alg_values_supported: ['HS256'], id_token_signing_alg_values_supported: ['RS256'],
Client: jest.fn().mockResolvedValue({ Client: jest.fn().mockResolvedValue({
issuer: { issuer: {
metadata: { metadata: {

20
server/src/domain/auth/auth.service.ts
View file

@ -318,12 +318,25 @@ export class AuthService {
const redirectUri = this.normalize(config, url.split('?')[0]); const redirectUri = this.normalize(config, url.split('?')[0]);
const client = await this.getOAuthClient(config); const client = await this.getOAuthClient(config);
const params = client.callbackParams(url); const params = client.callbackParams(url);
try {
const tokens = await client.callback(redirectUri, params, { state: params.state }); const tokens = await client.callback(redirectUri, params, { state: params.state });
return client.userinfo<OAuthProfile>(tokens.access_token || ''); return client.userinfo<OAuthProfile>(tokens.access_token || '');
} catch (error: Error | any) {
if (error.message.includes('unexpected JWT alg received')) {
this.logger.warn(
[
'Algorithm mismatch. Make sure the signing algorithm is set correctly in the OAuth settings.',
'Or, that you have specified a signing key in your OAuth provider.',
].join(' '),
);
}
throw error;
}
} }
private async getOAuthClient(config: SystemConfig) { private async getOAuthClient(config: SystemConfig) {
const { enabled, clientId, clientSecret, issuerUrl } = config.oauth; const { enabled, clientId, clientSecret, issuerUrl, signingAlgorithm } = config.oauth;
if (!enabled) { if (!enabled) {
throw new BadRequestException('OAuth2 is not enabled'); throw new BadRequestException('OAuth2 is not enabled');
@ -337,10 +350,7 @@ export class AuthService {
try { try {
const issuer = await Issuer.discover(issuerUrl); const issuer = await Issuer.discover(issuerUrl);
const algorithms = (issuer.id_token_signing_alg_values_supported || []) as string[]; metadata.id_token_signed_response_alg = signingAlgorithm;
if (algorithms[0] === 'HS256') {
metadata.id_token_signed_response_alg = algorithms[0];
}
return new issuer.Client(metadata); return new issuer.Client(metadata);
} catch (error: any | AggregateError) { } catch (error: any | AggregateError) {

36
server/src/domain/system-config/dto/system-config-oauth.dto.ts
View file

@ -5,12 +5,13 @@ const isOverrideEnabled = (config: SystemConfigOAuthDto) => config.mobileOverrid
export class SystemConfigOAuthDto { export class SystemConfigOAuthDto {
@IsBoolean() @IsBoolean()
enabled!: boolean; autoLaunch!: boolean;
@IsBoolean()
autoRegister!: boolean;
@ValidateIf(isEnabled)
@IsNotEmpty()
@IsString() @IsString()
issuerUrl!: string; buttonText!: string;
@ValidateIf(isEnabled) @ValidateIf(isEnabled)
@IsNotEmpty() @IsNotEmpty()
@ -22,20 +23,13 @@ export class SystemConfigOAuthDto {
@IsString() @IsString()
clientSecret!: string; clientSecret!: string;
@IsString()
scope!: string;
@IsString()
storageLabelClaim!: string;
@IsString()
buttonText!: string;
@IsBoolean() @IsBoolean()
autoRegister!: boolean; enabled!: boolean;
@IsBoolean() @ValidateIf(isEnabled)
autoLaunch!: boolean; @IsNotEmpty()
@IsString()
issuerUrl!: string;
@IsBoolean() @IsBoolean()
mobileOverrideEnabled!: boolean; mobileOverrideEnabled!: boolean;
@ -43,4 +37,14 @@ export class SystemConfigOAuthDto {
@ValidateIf(isOverrideEnabled) @ValidateIf(isOverrideEnabled)
@IsUrl() @IsUrl()
mobileRedirectUri!: string; mobileRedirectUri!: string;
@IsString()
scope!: string;
@IsString()
@IsNotEmpty()
signingAlgorithm!: string;
@IsString()
storageLabelClaim!: string;
} }

11
server/src/domain/system-config/system-config.core.ts
View file

@ -88,17 +88,18 @@ export const defaults = Object.freeze<SystemConfig>({
enabled: true, enabled: true,
}, },
oauth: { oauth: {
enabled: false, autoLaunch: false,
issuerUrl: '', autoRegister: true,
buttonText: 'Login with OAuth',
clientId: '', clientId: '',
clientSecret: '', clientSecret: '',
enabled: false,
issuerUrl: '',
mobileOverrideEnabled: false, mobileOverrideEnabled: false,
mobileRedirectUri: '', mobileRedirectUri: '',
scope: 'openid email profile', scope: 'openid email profile',
signingAlgorithm: 'RS256',
storageLabelClaim: 'preferred_username', storageLabelClaim: 'preferred_username',
buttonText: 'Login with OAuth',
autoRegister: true,
autoLaunch: false,
}, },
passwordLogin: { passwordLogin: {
enabled: true, enabled: true,

1
server/src/domain/system-config/system-config.service.spec.ts
View file

@ -98,6 +98,7 @@ const updatedConfig = Object.freeze<SystemConfig>({
mobileOverrideEnabled: false, mobileOverrideEnabled: false,
mobileRedirectUri: '', mobileRedirectUri: '',
scope: 'openid email profile', scope: 'openid email profile',
signingAlgorithm: 'RS256',
storageLabelClaim: 'preferred_username', storageLabelClaim: 'preferred_username',
}, },
passwordLogin: { passwordLogin: {

30
server/src/infra/entities/system-config.entity.ts
View file

@ -77,17 +77,18 @@ export enum SystemConfigKey {
NEW_VERSION_CHECK_ENABLED = 'newVersionCheck.enabled', NEW_VERSION_CHECK_ENABLED = 'newVersionCheck.enabled',
OAUTH_ENABLED = 'oauth.enabled', OAUTH_AUTO_LAUNCH = 'oauth.autoLaunch',
OAUTH_ISSUER_URL = 'oauth.issuerUrl', OAUTH_AUTO_REGISTER = 'oauth.autoRegister',
OAUTH_BUTTON_TEXT = 'oauth.buttonText',
OAUTH_CLIENT_ID = 'oauth.clientId', OAUTH_CLIENT_ID = 'oauth.clientId',
OAUTH_CLIENT_SECRET = 'oauth.clientSecret', OAUTH_CLIENT_SECRET = 'oauth.clientSecret',
OAUTH_SCOPE = 'oauth.scope', OAUTH_ENABLED = 'oauth.enabled',
OAUTH_STORAGE_LABEL_CLAIM = 'oauth.storageLabelClaim', OAUTH_ISSUER_URL = 'oauth.issuerUrl',
OAUTH_AUTO_LAUNCH = 'oauth.autoLaunch',
OAUTH_BUTTON_TEXT = 'oauth.buttonText',
OAUTH_AUTO_REGISTER = 'oauth.autoRegister',
OAUTH_MOBILE_OVERRIDE_ENABLED = 'oauth.mobileOverrideEnabled', OAUTH_MOBILE_OVERRIDE_ENABLED = 'oauth.mobileOverrideEnabled',
OAUTH_MOBILE_REDIRECT_URI = 'oauth.mobileRedirectUri', OAUTH_MOBILE_REDIRECT_URI = 'oauth.mobileRedirectUri',
OAUTH_SCOPE = 'oauth.scope',
OAUTH_SIGNING_ALGORITHM = 'oauth.signingAlgorithm',
OAUTH_STORAGE_LABEL_CLAIM = 'oauth.storageLabelClaim',
PASSWORD_LOGIN_ENABLED = 'passwordLogin.enabled', PASSWORD_LOGIN_ENABLED = 'passwordLogin.enabled',
@ -216,17 +217,18 @@ export interface SystemConfig {
enabled: boolean; enabled: boolean;
}; };
oauth: { oauth: {
enabled: boolean; autoLaunch: boolean;
issuerUrl: string; autoRegister: boolean;
buttonText: string;
clientId: string; clientId: string;
clientSecret: string; clientSecret: string;
scope: string; enabled: boolean;
storageLabelClaim: string; issuerUrl: string;
buttonText: string;
autoRegister: boolean;
autoLaunch: boolean;
mobileOverrideEnabled: boolean; mobileOverrideEnabled: boolean;
mobileRedirectUri: string; mobileRedirectUri: string;
scope: string;
signingAlgorithm: string;
storageLabelClaim: string;
}; };
passwordLogin: { passwordLogin: {
enabled: boolean; enabled: boolean;

2
web/src/api/utils.ts
View file

@ -45,8 +45,10 @@ export const oauth = {
const redirectUri = location.href.split('?')[0]; const redirectUri = location.href.split('?')[0];
const { data } = await api.oauthApi.startOAuth({ oAuthConfigDto: { redirectUri } }); const { data } = await api.oauthApi.startOAuth({ oAuthConfigDto: { redirectUri } });
window.location.href = data.url; window.location.href = data.url;
return true;
} catch (error) { } catch (error) {
handleError(error, 'Unable to login with OAuth'); handleError(error, 'Unable to login with OAuth');
return false;
} }
}, },
login: (location: Location) => { login: (location: Location) => {

16
web/src/lib/components/admin-page/settings/oauth/oauth-settings.svelte
View file

@ -69,7 +69,9 @@
>. >.
</p> </p>
<SettingSwitch {disabled} title="ENABLE" bind:checked={config.oauth.enabled} /> <SettingSwitch {disabled} title="ENABLE" subtitle="Login with OAuth" bind:checked={config.oauth.enabled} />
{#if config.oauth.enabled}
<hr /> <hr />
<SettingInputField <SettingInputField
inputType={SettingInputFieldType.TEXT} inputType={SettingInputFieldType.TEXT}
@ -107,13 +109,22 @@
isEdited={!(config.oauth.scope == savedConfig.oauth.scope)} isEdited={!(config.oauth.scope == savedConfig.oauth.scope)}
/> />
<SettingInputField
inputType={SettingInputFieldType.TEXT}
label="SIGNING ALGORITHM"
bind:value={config.oauth.signingAlgorithm}
required={true}
disabled={disabled || !config.oauth.enabled}
isEdited={!(config.oauth.signingAlgorithm == savedConfig.oauth.signingAlgorithm)}
/>
<SettingInputField <SettingInputField
inputType={SettingInputFieldType.TEXT} inputType={SettingInputFieldType.TEXT}
label="STORAGE LABEL CLAIM" label="STORAGE LABEL CLAIM"
desc="Automatically set the user's storage label to the value of this claim." desc="Automatically set the user's storage label to the value of this claim."
bind:value={config.oauth.storageLabelClaim} bind:value={config.oauth.storageLabelClaim}
required={true} required={true}
disabled={disabled || !config.oauth.storageLabelClaim} disabled={disabled || !config.oauth.enabled}
isEdited={!(config.oauth.storageLabelClaim == savedConfig.oauth.storageLabelClaim)} isEdited={!(config.oauth.storageLabelClaim == savedConfig.oauth.storageLabelClaim)}
/> />
@ -158,6 +169,7 @@
isEdited={!(config.oauth.mobileRedirectUri == savedConfig.oauth.mobileRedirectUri)} isEdited={!(config.oauth.mobileRedirectUri == savedConfig.oauth.mobileRedirectUri)}
/> />
{/if} {/if}
{/if}
<SettingButtonsRow <SettingButtonsRow
on:reset={({ detail }) => dispatch('reset', { ...detail, configKeys: ['oauth'] })} on:reset={({ detail }) => dispatch('reset', { ...detail, configKeys: ['oauth'] })}

6
web/src/lib/components/forms/login-form.svelte
View file

@ -89,7 +89,11 @@
const handleOAuthLogin = async () => { const handleOAuthLogin = async () => {
oauthLoading = true; oauthLoading = true;
oauthError = ''; oauthError = '';
await oauth.authorize(window.location); const success = await oauth.authorize(window.location);
if (!success) {
oauthLoading = false;
oauthError = 'Unable to login with OAuth';
}
}; };
</script> </script>