fix: Enable OIDC with Synology SSO Server (#4544)

mealie-recipes · Nov 19, 2024 · 426f91f · 426f91f
1 parent f194a6d
commit 426f91f
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/docs/docs/documentation/getting-started/installation/backend-config.md b/docs/docs/documentation/getting-started/installation/backend-config.md
@@ -95,7 +95,7 @@ Use this only when mealie is run without a webserver or reverse proxy.
 For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md)
 
 | Variables                                         | Default | Description                                                                                                                                                                                                                                                                                            |
-| ------------------------------------------------- | :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+|---------------------------------------------------|:-------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | OIDC_AUTH_ENABLED                                 |  False  | Enables authentication via OpenID Connect                                                                                                                                                                                                                                                              |
 | OIDC_SIGNUP_ENABLED                               |  True   | Enables new users to be created when signing in for the first time with OIDC                                                                                                                                                                                                                           |
 | OIDC_CONFIGURATION_URL                            |  None   | The URL to the OIDC configuration of your provider. This is usually something like https://auth.example.com/.well-known/openid-configuration                                                                                                                                                           |
@@ -107,6 +107,7 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md)
 | OIDC_PROVIDER_NAME                                |  OAuth  | The provider name is shown in SSO login button. "Login with <OIDC_PROVIDER_NAME\>"                                                                                                                                                                                                                     |
 | OIDC_REMEMBER_ME                                  |  False  | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked                                                                                              |
 | OIDC_USER_CLAIM                                   |  email  | This is the claim which Mealie will use to look up an existing user by (e.g. "email", "preferred_username")                                                                                                                                                                                            |
+| OIDC_NAME_CLAIM                                   |  name   | This is the claim which Mealie will use for the users Full Name                                                                                                                                                                                                                                        |
 | OIDC_GROUPS_CLAIM                                 | groups  | Optional if not using `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP`. This is the claim Mealie will request from your IdP and will use to compare to `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP` to allow the user to log in to Mealie or is set as an admin. **Your IdP must be configured to grant this claim** |
 | OIDC_SCOPES_OVERRIDE                              |  None   | Advanced configuration used to override the scopes requested from the IdP. **Most users won't need to change this**. At a minimum, 'openid profile email' are required.                                                                                                                                |
 | OIDC_TLS_CACERTFILE                               |  None   | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`)                                                                                                                                                                                                          |

diff --git a/mealie/core/security/providers/openid_provider.py b/mealie/core/security/providers/openid_provider.py
@@ -63,12 +63,14 @@ def authenticate(self) -> tuple[str, timedelta] | None:
             try:
                 # some IdPs don't provide a username (looking at you Google), so if we don't have the claim,
                 # we'll create the user with whatever the USER_CLAIM is (default email)
-                username = claims.get("preferred_username", claims.get(settings.OIDC_USER_CLAIM))
+                username = claims.get(
+                    "preferred_username", claims.get("username", claims.get(settings.OIDC_USER_CLAIM))
+                )
                 user = repos.users.create(
                     {
                         "username": username,
                         "password": "OIDC",
-                        "full_name": claims.get("name"),
+                        "full_name": claims.get(settings.OIDC_NAME_CLAIM),
                         "email": claims.get("email"),
                         "admin": is_admin,
                         "auth_method": AuthMethod.OIDC,
@@ -96,7 +98,7 @@ def authenticate(self) -> tuple[str, timedelta] | None:
     def required_claims(self):
         settings = get_app_settings()
 
-        claims = {"name", "email", settings.OIDC_USER_CLAIM}
+        claims = {settings.OIDC_NAME_CLAIM, "email", settings.OIDC_USER_CLAIM}
         if settings.OIDC_REQUIRES_GROUP_CLAIM:
             claims.add(settings.OIDC_GROUPS_CLAIM)
         return claims
diff --git a/mealie/core/settings/settings.py b/mealie/core/settings/settings.py
@@ -332,6 +332,7 @@ def LDAP_ENABLED(self) -> bool:
     OIDC_PROVIDER_NAME: str = "OAuth"
     OIDC_REMEMBER_ME: bool = False
     OIDC_USER_CLAIM: str = "email"
+    OIDC_NAME_CLAIM: str = "name"
     OIDC_GROUPS_CLAIM: str | None = "groups"
     OIDC_SCOPES_OVERRIDE: str | None = None
     OIDC_TLS_CACERTFILE: str | None = None