mirror of
https://github.com/samsonjs/immich.git
synced 2026-03-25 09:15:56 +00:00
feat: configure token endpoint auth method (#17968)
This commit is contained in:
Jason Rasmussen
GitHub
parent
3ce353393a
commit
d89e88bb3f
18 changed files with 137 additions and 41 deletions
10
i18n/en.json
10
i18n/en.json
|
|
@ -192,26 +192,22 @@
|
|||
"oauth_auto_register": "Auto register",
|
||||
"oauth_auto_register_description": "Automatically register new users after signing in with OAuth",
|
||||
"oauth_button_text": "Button text",
|
||||
"oauth_client_id": "Client ID",
|
||||
"oauth_client_secret": "Client Secret",
|
||||
"oauth_client_secret_description": "Required if PKCE (Proof Key for Code Exchange) is not supported by the OAuth provider",
|
||||
"oauth_enable_description": "Login with OAuth",
|
||||
"oauth_issuer_url": "Issuer URL",
|
||||
"oauth_mobile_redirect_uri": "Mobile redirect URI",
|
||||
"oauth_mobile_redirect_uri_override": "Mobile redirect URI override",
|
||||
"oauth_mobile_redirect_uri_override_description": "Enable when OAuth provider does not allow a mobile URI, like '{callback}'",
|
||||
"oauth_profile_signing_algorithm": "Profile signing algorithm",
|
||||
"oauth_profile_signing_algorithm_description": "Algorithm used to sign the user profile.",
|
||||
"oauth_scope": "Scope",
|
||||
"oauth_settings": "OAuth",
|
||||
"oauth_settings_description": "Manage OAuth login settings",
|
||||
"oauth_settings_more_details": "For more details about this feature, refer to the <link>docs</link>.",
|
||||
"oauth_signing_algorithm": "Signing algorithm",
|
||||
"oauth_storage_label_claim": "Storage label claim",
|
||||
"oauth_storage_label_claim_description": "Automatically set the user's storage label to the value of this claim.",
|
||||
"oauth_storage_quota_claim": "Storage quota claim",
|
||||
"oauth_storage_quota_claim_description": "Automatically set the user's storage quota to the value of this claim.",
|
||||
"oauth_storage_quota_default": "Default storage quota (GiB)",
|
||||
"oauth_storage_quota_default_description": "Quota in GiB to be used when no claim is provided (Enter 0 for unlimited quota).",
|
||||
"oauth_timeout": "Request Timeout",
|
||||
"oauth_timeout_description": "Timeout for requests in milliseconds",
|
||||
"offline_paths": "Offline Paths",
|
||||
"offline_paths_description": "These results may be due to manual deletion of files that are not part of an external library.",
|
||||
"password_enable_description": "Login with email and password",
|
||||
|
|
|
|||
BIN
mobile/openapi/README.md
generated
BIN
mobile/openapi/README.md
generated
Binary file not shown.
BIN
mobile/openapi/lib/api.dart
generated
BIN
mobile/openapi/lib/api.dart
generated
Binary file not shown.
BIN
mobile/openapi/lib/api_client.dart
generated
BIN
mobile/openapi/lib/api_client.dart
generated
Binary file not shown.
BIN
mobile/openapi/lib/api_helper.dart
generated
BIN
mobile/openapi/lib/api_helper.dart
generated
Binary file not shown.
BIN
mobile/openapi/lib/model/o_auth_token_endpoint_auth_method.dart
generated
Normal file
BIN
mobile/openapi/lib/model/o_auth_token_endpoint_auth_method.dart
generated
Normal file
Binary file not shown.
BIN
mobile/openapi/lib/model/system_config_o_auth_dto.dart
generated
BIN
mobile/openapi/lib/model/system_config_o_auth_dto.dart
generated
Binary file not shown.
|
|
@ -10824,6 +10824,13 @@
|
|||
],
|
||||
"type": "object"
|
||||
},
|
||||
"OAuthTokenEndpointAuthMethod": {
|
||||
"enum": [
|
||||
"client_secret_post",
|
||||
"client_secret_basic"
|
||||
],
|
||||
"type": "string"
|
||||
},
|
||||
"OnThisDayDto": {
|
||||
"properties": {
|
||||
"year": {
|
||||
|
|
@ -13404,6 +13411,17 @@
|
|||
},
|
||||
"storageQuotaClaim": {
|
||||
"type": "string"
|
||||
},
|
||||
"timeout": {
|
||||
"minimum": 1,
|
||||
"type": "integer"
|
||||
},
|
||||
"tokenEndpointAuthMethod": {
|
||||
"allOf": [
|
||||
{
|
||||
"$ref": "#/components/schemas/OAuthTokenEndpointAuthMethod"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
|
|
@ -13421,7 +13439,9 @@
|
|||
"scope",
|
||||
"signingAlgorithm",
|
||||
"storageLabelClaim",
|
||||
"storageQuotaClaim"
|
||||
"storageQuotaClaim",
|
||||
"timeout",
|
||||
"tokenEndpointAuthMethod"
|
||||
],
|
||||
"type": "object"
|
||||
},
|
||||
|
|
|
|||
|
|
@ -1315,6 +1315,8 @@ export type SystemConfigOAuthDto = {
|
|||
signingAlgorithm: string;
|
||||
storageLabelClaim: string;
|
||||
storageQuotaClaim: string;
|
||||
timeout: number;
|
||||
tokenEndpointAuthMethod: OAuthTokenEndpointAuthMethod;
|
||||
};
|
||||
export type SystemConfigPasswordLoginDto = {
|
||||
enabled: boolean;
|
||||
|
|
@ -3859,6 +3861,10 @@ export enum LogLevel {
|
|||
Error = "error",
|
||||
Fatal = "fatal"
|
||||
}
|
||||
export enum OAuthTokenEndpointAuthMethod {
|
||||
ClientSecretPost = "client_secret_post",
|
||||
ClientSecretBasic = "client_secret_basic"
|
||||
}
|
||||
export enum TimeBucketSize {
|
||||
Day = "DAY",
|
||||
Month = "MONTH"
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ import {
|
|||
CQMode,
|
||||
ImageFormat,
|
||||
LogLevel,
|
||||
OAuthTokenEndpointAuthMethod,
|
||||
QueueName,
|
||||
ToneMapping,
|
||||
TranscodeHWAccel,
|
||||
|
|
@ -96,6 +97,8 @@ export interface SystemConfig {
|
|||
scope: string;
|
||||
signingAlgorithm: string;
|
||||
profileSigningAlgorithm: string;
|
||||
tokenEndpointAuthMethod: OAuthTokenEndpointAuthMethod;
|
||||
timeout: number;
|
||||
storageLabelClaim: string;
|
||||
storageQuotaClaim: string;
|
||||
};
|
||||
|
|
@ -260,6 +263,8 @@ export const defaults = Object.freeze<SystemConfig>({
|
|||
profileSigningAlgorithm: 'none',
|
||||
storageLabelClaim: 'preferred_username',
|
||||
storageQuotaClaim: 'immich_quota',
|
||||
tokenEndpointAuthMethod: OAuthTokenEndpointAuthMethod.CLIENT_SECRET_POST,
|
||||
timeout: 30_000,
|
||||
},
|
||||
passwordLogin: {
|
||||
enabled: true,
|
||||
|
|
|
|||
|
|
@ -25,6 +25,7 @@ import {
|
|||
Colorspace,
|
||||
ImageFormat,
|
||||
LogLevel,
|
||||
OAuthTokenEndpointAuthMethod,
|
||||
QueueName,
|
||||
ToneMapping,
|
||||
TranscodeHWAccel,
|
||||
|
|
@ -33,7 +34,7 @@ import {
|
|||
VideoContainer,
|
||||
} from 'src/enum';
|
||||
import { ConcurrentQueueName } from 'src/types';
|
||||
import { IsCronExpression, ValidateBoolean } from 'src/validation';
|
||||
import { IsCronExpression, Optional, ValidateBoolean } from 'src/validation';
|
||||
|
||||
const isLibraryScanEnabled = (config: SystemConfigLibraryScanDto) => config.enabled;
|
||||
const isOAuthEnabled = (config: SystemConfigOAuthDto) => config.enabled;
|
||||
|
|
@ -344,10 +345,19 @@ class SystemConfigOAuthDto {
|
|||
clientId!: string;
|
||||
|
||||
@ValidateIf(isOAuthEnabled)
|
||||
@IsNotEmpty()
|
||||
@IsString()
|
||||
clientSecret!: string;
|
||||
|
||||
@IsEnum(OAuthTokenEndpointAuthMethod)
|
||||
@ApiProperty({ enum: OAuthTokenEndpointAuthMethod, enumName: 'OAuthTokenEndpointAuthMethod' })
|
||||
tokenEndpointAuthMethod!: OAuthTokenEndpointAuthMethod;
|
||||
|
||||
@IsInt()
|
||||
@IsPositive()
|
||||
@Optional()
|
||||
@ApiProperty({ type: 'integer' })
|
||||
timeout!: number;
|
||||
|
||||
@IsNumber()
|
||||
@Min(0)
|
||||
defaultStorageQuota!: number;
|
||||
|
|
|
|||
|
|
@ -605,3 +605,8 @@ export enum NotificationType {
|
|||
SystemMessage = 'SystemMessage',
|
||||
Custom = 'Custom',
|
||||
}
|
||||
|
||||
export enum OAuthTokenEndpointAuthMethod {
|
||||
CLIENT_SECRET_POST = 'client_secret_post',
|
||||
CLIENT_SECRET_BASIC = 'client_secret_basic',
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ import { Telemetry } from 'src/decorators';
|
|||
import { LogLevel } from 'src/enum';
|
||||
import { ConfigRepository } from 'src/repositories/config.repository';
|
||||
|
||||
type LogDetails = any[];
|
||||
type LogDetails = any;
|
||||
type LogFunction = () => string;
|
||||
|
||||
const LOG_LEVELS = [LogLevel.VERBOSE, LogLevel.DEBUG, LogLevel.LOG, LogLevel.WARN, LogLevel.ERROR, LogLevel.FATAL];
|
||||
|
|
|
|||
|
|
@ -1,16 +1,19 @@
|
|||
import { Injectable, InternalServerErrorException } from '@nestjs/common';
|
||||
import type { UserInfoResponse } from 'openid-client' with { 'resolution-mode': 'import' };
|
||||
import { OAuthTokenEndpointAuthMethod } from 'src/enum';
|
||||
import { LoggingRepository } from 'src/repositories/logging.repository';
|
||||
|
||||
export type OAuthConfig = {
|
||||
clientId: string;
|
||||
clientSecret: string;
|
||||
clientSecret?: string;
|
||||
issuerUrl: string;
|
||||
mobileOverrideEnabled: boolean;
|
||||
mobileRedirectUri: string;
|
||||
profileSigningAlgorithm: string;
|
||||
scope: string;
|
||||
signingAlgorithm: string;
|
||||
tokenEndpointAuthMethod: OAuthTokenEndpointAuthMethod;
|
||||
timeout: number;
|
||||
};
|
||||
export type OAuthProfile = UserInfoResponse;
|
||||
|
||||
|
|
@ -76,12 +79,10 @@ export class OAuthRepository {
|
|||
);
|
||||
}
|
||||
|
||||
if (error.code === 'OAUTH_INVALID_RESPONSE') {
|
||||
this.logger.warn(`Invalid response from authorization server. Cause: ${error.cause?.message}`);
|
||||
throw error.cause;
|
||||
}
|
||||
this.logger.error(`OAuth login failed: ${error.message}`);
|
||||
this.logger.error(error);
|
||||
|
||||
throw error;
|
||||
throw new Error('OAuth login failed', { cause: error });
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -103,6 +104,8 @@ export class OAuthRepository {
|
|||
clientSecret,
|
||||
profileSigningAlgorithm,
|
||||
signingAlgorithm,
|
||||
tokenEndpointAuthMethod,
|
||||
timeout,
|
||||
}: OAuthConfig) {
|
||||
try {
|
||||
const { allowInsecureRequests, discovery } = await import('openid-client');
|
||||
|
|
@ -114,14 +117,38 @@ export class OAuthRepository {
|
|||
response_types: ['code'],
|
||||
userinfo_signed_response_alg: profileSigningAlgorithm === 'none' ? undefined : profileSigningAlgorithm,
|
||||
id_token_signed_response_alg: signingAlgorithm,
|
||||
timeout: 30_000,
|
||||
},
|
||||
undefined,
|
||||
{ execute: [allowInsecureRequests] },
|
||||
await this.getTokenAuthMethod(tokenEndpointAuthMethod, clientSecret),
|
||||
{
|
||||
execute: [allowInsecureRequests],
|
||||
timeout,
|
||||
},
|
||||
);
|
||||
} catch (error: any | AggregateError) {
|
||||
this.logger.error(`Error in OAuth discovery: ${error}`, error?.stack, error?.errors);
|
||||
throw new InternalServerErrorException(`Error in OAuth discovery: ${error}`, { cause: error });
|
||||
}
|
||||
}
|
||||
|
||||
private async getTokenAuthMethod(tokenEndpointAuthMethod: OAuthTokenEndpointAuthMethod, clientSecret?: string) {
|
||||
const { None, ClientSecretPost, ClientSecretBasic } = await import('openid-client');
|
||||
|
||||
if (!clientSecret) {
|
||||
return None();
|
||||
}
|
||||
|
||||
switch (tokenEndpointAuthMethod) {
|
||||
case OAuthTokenEndpointAuthMethod.CLIENT_SECRET_POST: {
|
||||
return ClientSecretPost(clientSecret);
|
||||
}
|
||||
|
||||
case OAuthTokenEndpointAuthMethod.CLIENT_SECRET_BASIC: {
|
||||
return ClientSecretBasic(clientSecret);
|
||||
}
|
||||
|
||||
default: {
|
||||
return None();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ import {
|
|||
CQMode,
|
||||
ImageFormat,
|
||||
LogLevel,
|
||||
OAuthTokenEndpointAuthMethod,
|
||||
QueueName,
|
||||
ToneMapping,
|
||||
TranscodeHWAccel,
|
||||
|
|
@ -119,6 +120,8 @@ const updatedConfig = Object.freeze<SystemConfig>({
|
|||
scope: 'openid email profile',
|
||||
signingAlgorithm: 'RS256',
|
||||
profileSigningAlgorithm: 'none',
|
||||
tokenEndpointAuthMethod: OAuthTokenEndpointAuthMethod.CLIENT_SECRET_POST,
|
||||
timeout: 30_000,
|
||||
storageLabelClaim: 'preferred_username',
|
||||
storageQuotaClaim: 'immich_quota',
|
||||
},
|
||||
|
|
|
|||
|
|
@ -1,16 +1,17 @@
|
|||
<script lang="ts">
|
||||
import FormatMessage from '$lib/components/i18n/format-message.svelte';
|
||||
import ConfirmDialog from '$lib/components/shared-components/dialog/confirm-dialog.svelte';
|
||||
import SettingAccordion from '$lib/components/shared-components/settings/setting-accordion.svelte';
|
||||
import SettingButtonsRow from '$lib/components/shared-components/settings/setting-buttons-row.svelte';
|
||||
import SettingInputField from '$lib/components/shared-components/settings/setting-input-field.svelte';
|
||||
import SettingSelect from '$lib/components/shared-components/settings/setting-select.svelte';
|
||||
import SettingSwitch from '$lib/components/shared-components/settings/setting-switch.svelte';
|
||||
import { type SystemConfigDto } from '@immich/sdk';
|
||||
import { SettingInputFieldType } from '$lib/constants';
|
||||
import { OAuthTokenEndpointAuthMethod, type SystemConfigDto } from '@immich/sdk';
|
||||
import { isEqual } from 'lodash-es';
|
||||
import { t } from 'svelte-i18n';
|
||||
import { fade } from 'svelte/transition';
|
||||
import type { SettingsResetEvent, SettingsSaveEvent } from '../admin-settings';
|
||||
import { t } from 'svelte-i18n';
|
||||
import FormatMessage from '$lib/components/i18n/format-message.svelte';
|
||||
import { SettingInputFieldType } from '$lib/constants';
|
||||
|
||||
interface Props {
|
||||
savedConfig: SystemConfigDto;
|
||||
|
|
@ -108,7 +109,7 @@
|
|||
<hr />
|
||||
<SettingInputField
|
||||
inputType={SettingInputFieldType.TEXT}
|
||||
label={$t('admin.oauth_issuer_url').toUpperCase()}
|
||||
label="ISSUER_URL"
|
||||
bind:value={config.oauth.issuerUrl}
|
||||
required={true}
|
||||
disabled={disabled || !config.oauth.enabled}
|
||||
|
|
@ -117,7 +118,7 @@
|
|||
|
||||
<SettingInputField
|
||||
inputType={SettingInputFieldType.TEXT}
|
||||
label={$t('admin.oauth_client_id').toUpperCase()}
|
||||
label="CLIENT_ID"
|
||||
bind:value={config.oauth.clientId}
|
||||
required={true}
|
||||
disabled={disabled || !config.oauth.enabled}
|
||||
|
|
@ -126,16 +127,30 @@
|
|||
|
||||
<SettingInputField
|
||||
inputType={SettingInputFieldType.TEXT}
|
||||
label={$t('admin.oauth_client_secret').toUpperCase()}
|
||||
label="CLIENT_SECRET"
|
||||
description={$t('admin.oauth_client_secret_description')}
|
||||
bind:value={config.oauth.clientSecret}
|
||||
required={true}
|
||||
disabled={disabled || !config.oauth.enabled}
|
||||
isEdited={!(config.oauth.clientSecret == savedConfig.oauth.clientSecret)}
|
||||
/>
|
||||
|
||||
{#if config.oauth.clientSecret}
|
||||
<SettingSelect
|
||||
label="TOKEN_ENDPOINT_AUTH_METHOD"
|
||||
bind:value={config.oauth.tokenEndpointAuthMethod}
|
||||
disabled={disabled || !config.oauth.enabled || !config.oauth.clientSecret}
|
||||
isEdited={!(config.oauth.tokenEndpointAuthMethod == savedConfig.oauth.tokenEndpointAuthMethod)}
|
||||
options={[
|
||||
{ value: OAuthTokenEndpointAuthMethod.ClientSecretPost, text: 'client_secret_post' },
|
||||
{ value: OAuthTokenEndpointAuthMethod.ClientSecretBasic, text: 'client_secret_basic' },
|
||||
]}
|
||||
name="tokenEndpointAuthMethod"
|
||||
/>
|
||||
{/if}
|
||||
|
||||
<SettingInputField
|
||||
inputType={SettingInputFieldType.TEXT}
|
||||
label={$t('admin.oauth_scope').toUpperCase()}
|
||||
label="SCOPE"
|
||||
bind:value={config.oauth.scope}
|
||||
required={true}
|
||||
disabled={disabled || !config.oauth.enabled}
|
||||
|
|
@ -144,7 +159,7 @@
|
|||
|
||||
<SettingInputField
|
||||
inputType={SettingInputFieldType.TEXT}
|
||||
label={$t('admin.oauth_signing_algorithm').toUpperCase()}
|
||||
label="ID_TOKEN_SIGNED_RESPONSE_ALG"
|
||||
bind:value={config.oauth.signingAlgorithm}
|
||||
required={true}
|
||||
disabled={disabled || !config.oauth.enabled}
|
||||
|
|
@ -153,14 +168,23 @@
|
|||
|
||||
<SettingInputField
|
||||
inputType={SettingInputFieldType.TEXT}
|
||||
label={$t('admin.oauth_profile_signing_algorithm').toUpperCase()}
|
||||
description={$t('admin.oauth_profile_signing_algorithm_description')}
|
||||
label="USERINFO_SIGNED_RESPONSE_ALG"
|
||||
bind:value={config.oauth.profileSigningAlgorithm}
|
||||
required={true}
|
||||
disabled={disabled || !config.oauth.enabled}
|
||||
isEdited={!(config.oauth.profileSigningAlgorithm == savedConfig.oauth.profileSigningAlgorithm)}
|
||||
/>
|
||||
|
||||
<SettingInputField
|
||||
inputType={SettingInputFieldType.TEXT}
|
||||
label={$t('admin.oauth_timeout').toUpperCase()}
|
||||
description={$t('admin.oauth_timeout_description')}
|
||||
required={true}
|
||||
bind:value={config.oauth.timeout}
|
||||
disabled={disabled || !config.oauth.enabled}
|
||||
isEdited={!(config.oauth.timeout == savedConfig.oauth.timeout)}
|
||||
/>
|
||||
|
||||
<SettingInputField
|
||||
inputType={SettingInputFieldType.TEXT}
|
||||
label={$t('admin.oauth_storage_label_claim').toUpperCase()}
|
||||
|
|
|
|||
|
|
@ -1,15 +1,15 @@
|
|||
<script lang="ts">
|
||||
import { SettingInputFieldType } from '$lib/constants';
|
||||
import { onMount, tick, type Snippet } from 'svelte';
|
||||
import { t } from 'svelte-i18n';
|
||||
import { quintOut } from 'svelte/easing';
|
||||
import type { FormEventHandler } from 'svelte/elements';
|
||||
import { fly } from 'svelte/transition';
|
||||
import PasswordField from '../password-field.svelte';
|
||||
import { t } from 'svelte-i18n';
|
||||
import { onMount, tick, type Snippet } from 'svelte';
|
||||
import { SettingInputFieldType } from '$lib/constants';
|
||||
|
||||
interface Props {
|
||||
inputType: SettingInputFieldType;
|
||||
value: string | number;
|
||||
value: string | number | undefined;
|
||||
min?: number;
|
||||
max?: number;
|
||||
step?: string;
|
||||
|
|
@ -147,7 +147,7 @@
|
|||
name={label}
|
||||
autocomplete={passwordAutocomplete}
|
||||
{required}
|
||||
password={value.toString()}
|
||||
password={(value || '').toString()}
|
||||
onInput={(passwordValue) => (value = passwordValue)}
|
||||
{disabled}
|
||||
{title}
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
<script lang="ts">
|
||||
import { quintOut } from 'svelte/easing';
|
||||
import { fly } from 'svelte/transition';
|
||||
import { t } from 'svelte-i18n';
|
||||
import Icon from '$lib/components/elements/icon.svelte';
|
||||
import { mdiChevronDown } from '@mdi/js';
|
||||
import { t } from 'svelte-i18n';
|
||||
import { quintOut } from 'svelte/easing';
|
||||
import { fly } from 'svelte/transition';
|
||||
|
||||
interface Props {
|
||||
value: string | number;
|
||||
value: string | number | undefined;
|
||||
options: { value: string | number; text: string }[];
|
||||
label?: string;
|
||||
desc?: string;
|
||||
|
|
|
|||
Loading…
Reference in a new issue