diff --git a/config.yml.sample b/config.yml.sample index cd3d35505..eae85bb9a 100644 --- a/config.yml.sample +++ b/config.yml.sample @@ -317,7 +317,7 @@ auth: # The client secret used to authenticate Vikunja at the OpenID Connect provider. clientsecret: # The scope necessary to use oidc. - # If you want to use the Feature to create and assign to vikunja teams via oidc, you have to add the custom "vikunja_scope" and check [openid.md](https://vikunja.io/docs/openid/) + # If you want to use the Feature to create and assign to vikunja teams via oidc, you have to add the custom "vikunja_scope" and check [openid.md](https://vikunja.io/docs/openid/). # e.g. scope: openid email profile vikunja_scope scope: openid email profile diff --git a/docs/content/doc/setup/config.md b/docs/content/doc/setup/config.md index dc71c8a88..69557595d 100644 --- a/docs/content/doc/setup/config.md +++ b/docs/content/doc/setup/config.md @@ -93,7 +93,7 @@ Environment path: `VIKUNJA_SERVICE_JWTTTL` ### jwtttllong -The duration of the "remember me" time in seconds. When the login request is made with +The duration of the "remember me" time in seconds. When the login request is made with the long param set, the token returned will be valid for this period. The default is 2592000 seconds (30 Days). @@ -310,7 +310,7 @@ Environment path: `VIKUNJA_SERVICE_ENABLEEMAILREMINDERS` ### enableuserdeletion -If true, will allow users to request the complete deletion of their account. When using external authentication methods +If true, will allow users to request the complete deletion of their account. When using external authentication methods it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands for user deletion. @@ -516,7 +516,7 @@ Environment path: `VIKUNJA_DATABASE_TLS` Whether to enable the Typesense integration. If true, all tasks will be synced to the configured Typesense instance and all search and filtering will run through Typesense instead of only through the database. -Typesense allows fast fulltext search including fuzzy matching support. It may return different results than +Typesense allows fast fulltext search including fuzzy matching support. It may return different results than what you'd get with a database-only search. Default: `false` @@ -971,7 +971,7 @@ Environment path: `VIKUNJA_RATELIMIT_STORE` ### noauthlimit -The number of requests a user can make from the same IP to all unauthenticated routes (login, register, +The number of requests a user can make from the same IP to all unauthenticated routes (login, register, password confirmation, email verification, password reset request) per minute. This limit cannot be disabled. You should only change this if you know what you're doing. diff --git a/docs/content/doc/setup/openid-examples.md b/docs/content/doc/setup/openid-examples.md index eb8bdc589..26c8575ca 100644 --- a/docs/content/doc/setup/openid-examples.md +++ b/docs/content/doc/setup/openid-examples.md @@ -67,7 +67,7 @@ Google config: Note that there currently seems to be no way to stop creation of new users, even when `enableregistration` is `false` in the configuration. This means that this approach works well only with an "Internal Organization" app for Google Workspace, which limits the allowed users to organizational accounts only. External / public applications will potentially allow every Google user to register. -## Keycloak +## Keycloak Vikunja Config: ```yaml @@ -88,3 +88,20 @@ Keycloak Config: - Set `Root Url` to `https://vikunja.mydomain.com` - Set `Valid redirect URIs` to `/auth/openid/keycloak` - Create the client the navigate to the credentials tab and copy the `Client secret` + +## authentik + +Vikunja Config: +```yaml +openid: + enabled: true + redirecturl: /auth/openid/ + providers: + - name: authentiklogin + authurl: http://localhost:9000/application/o/vikunja/ + logouturl: http://localhost:9000/if/session-end/vikunja/ + clientid: + clientsecret: + scope: openid email profile +``` + diff --git a/docs/content/doc/setup/openid.md b/docs/content/doc/setup/openid.md index e02047fa6..7e257996f 100644 --- a/docs/content/doc/setup/openid.md +++ b/docs/content/doc/setup/openid.md @@ -8,13 +8,13 @@ To learn more about how to configure this, [check out the examples]({{< ref "ope ## Automatically assign users to teams -Vikunja is capable of automatically adding users to a team based on a group defined in the oidc provider. -If configured, Vikunja will sync teams, automatically create new ones and make sure the members are part of the configured teams. +Vikunja is capable of automatically adding users to a team based on a group defined in the oidc provider. +If configured, Vikunja will sync teams, automatically create new ones and make sure the members are part of the configured teams. Teams which exist only because they were created from oidc attributes are not editable in Vikunja. To distinguish between teams created in Vikunja and teams generated automatically via oidc, generated teams have an `oidcID` assigned internally. -You need to make sure the OpenID provider has the `vikunja_groups` scope via your custom scope since this is the key Vikunja is looking for to start the procedure. +You need to make sure the OpenID provider has the `vikunja_groups` scope via your custom scope since this is the key, which is looked up by Vikunja to start the procedure. Additionally, make sure to deliver an `oidcID` and a `name` attribute in the oidc token. @@ -26,7 +26,7 @@ To use Authentik's group assignment feature, follow these steps: 1. Edit [your config]({{< ref "config.md">}}) to include the following scopes: `openid profile email vikunja_scope` 2. Open `/if/admin/#/core/property-mappings` -3. Create a new mapping called `vikunja_scope`. There is a field to enter python expressions that will be delivered with the oidc token. +3. Create a new property mapping called `vikunja_scope` as scope mapping. There is a field `expression` to enter python expressions that will be delivered with the oidc token. 4. Write a small script like the following to add group information to `vikunja_scope`: ```python