Allow more configuration over the OIDC flow.

Adds knobs to configure three aspects of the OpenID Connect flow: * Custom scopes to override the default "openid profile email". * Custom parameters to be added to the Authorize Endpoint request. * Domain allowlisting for authenticated principals. * User allowlisting for authenticated principals.
2022-04-25 21:05:37 +02:00 · 2022-04-25 21:05:37 +02:00 · 7cc58af932
commit 7cc58af932
parent ddb87af5ce
6 changed files with 68 additions and 2 deletions
--- a/config-example.yaml
+++ b/config-example.yaml
@ -214,6 +214,21 @@ unix_socket_permission: "0770"
 #   client_id: "your-oidc-client-id"
 #   client_secret: "your-oidc-client-secret"
 #
+#   Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+#   parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+#
+#   scope: ["openid", "profile", "email", "custom"]
+#   extra_params:
+#     domain_hint: example.com
+#
+#   List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+#   authentication request will be rejected.
+#
+#   allowed_domains:
+#     - example.com
+#   allowed_users:
+#     - alice@example.com
+#
 #   If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
 #   This will transform `first-name.last-name@example.com` to the namespace `first-name.last-name`
 #   If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following