diff --git a/machines/gerd/services/authelia/authelia.nix b/machines/gerd/services/authelia/authelia.nix index 90e3cdb..a1bac9e 100644 --- a/machines/gerd/services/authelia/authelia.nix +++ b/machines/gerd/services/authelia/authelia.nix @@ -90,6 +90,20 @@ in { user = config.mine.shared.settings.ldap.bind_dn; }; }; + + # authelia have changed how the by-default handles auth, so in theory everything + # should contact the `userinfo` endpoint. but not everything does, which leads to us + # having to create a default policy for this + # https://github.com/pulsejet/nextcloud-oidc-login/issues/311#issuecomment-2763239352 + identity_providers.oidc.claims_policies.default.id_token = [ + "rat" + "groups" + "email" + "email_verified" + "alt_emails" + "preferred_username" + "name" + ]; }; }; diff --git a/machines/gerd/services/nextcloud.nix b/machines/gerd/services/nextcloud.nix index cbc0400..349c759 100644 --- a/machines/gerd/services/nextcloud.nix +++ b/machines/gerd/services/nextcloud.nix @@ -223,6 +223,7 @@ in { client_secret = "$pbkdf2-sha512$310000$kLNQ/1A.uasSN4g8q94jUQ$8OKNUNNumHCh8dVG5/QWys7u.y1guqFXlrL.bMm7/HKTsWhpib/W.8qlU6VU7V1Be/h14Y.fJi3RLvbkEdo2kA"; consent_mode = "implicit"; redirect_uris = [ "https://${svc_domain}/apps/oidc_login/oidc" ]; + claims_policy = "default"; scopes = [ "openid" "profile" diff --git a/machines/gerd/services/rallly/default.nix b/machines/gerd/services/rallly/default.nix index d6f4710..e58df59 100644 --- a/machines/gerd/services/rallly/default.nix +++ b/machines/gerd/services/rallly/default.nix @@ -106,6 +106,7 @@ in { client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ"; consent_mode = "implicit"; redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ]; + claims_policy = "default"; scopes = [ "openid" "email"