Miniflux OAuth2 Authentication Documentation - Account Linking

[adinunzio10]

Hi All,

Wasn't sure where to post this so sorry if this is not in the best spot.

I set up Authentik with Miniflux today and was running into issues with how to tell authentik what scope to pass to miniflux for my login id.

I don't use emails for logins, so email scope won't work.
I tried the other 2 scopes available (openid, profile) and it doesn't work.

I set OAUTH2_USER_CREATION=true and noticed when using the other 2 scopes, my username was just blank.

I then noticed at the bottom of my settings page, there is a button to link my profile to my sso profile. I did that and bam everything works great.

So to break it down:

1. My big ask was to update the documentation to mention the linking feature. had i not scrolled down the settings page I may have never even knew it existed!
2. I imagine blank username shouldn't be possible, so thats more of an FYI.
3. Also, a way to disable non-sso logins might be helpful but for now I am just doing this with my reverse proxy

[fguillot]

Currently, the scopes openid and email are hardcoded:

v2/internal/oauth2/oidc.go

Line 40 in 344a237

Scopes: []string{"openid", "email"},

Some code change are required to make it configurable:

v2/internal/oauth2/oidc.go

Line 57 in 344a237

profile := &Profile{Key: o.GetUserExtraKey(), ID: userInfo.Subject, Username: userInfo.Email}

Blank usernames should be forbidden as well.

[fguillot]

PR #2059 and #2060 should address this issue. Tested with Authentik with accounts with and without email.

At some point, the OIDC integration could be improved to customize the claim used to populate Miniflux's username field. It's already requested in issue #1464.

Updated documentation: https://miniflux.app/docs/howto.html#oauth2