updated with oidc fixes

Author: gtsteffaniak

CHANGELOG.md

@@ -4,12 +4,12 @@ All notable changes to this project will be documented in this file. For commit
 
 ## v0.7.8-beta
 
+Note: if using oidc, please update from 0.7.7 to resolve invalid_grant issue. Also - oidc no longer creates users automatically by default -- must be enabled.
 
  **New Features**:
- -
-
- **Notes**:
- -
+ - More oidc user creation options https://github.com/gtsteffaniak/filebrowser/issues/685
+   - `auth.methods.oidc.createUser` must be true to automatically create user, defaults to false.
+   - `auth.methods.oidc.adminGroup` allows using oidc provider group name to enable admin user creation.
 
  **BugFixes**:
  - fix save editor info sometimes saves wrong file. https://github.com/gtsteffaniak/filebrowser/issues/701

backend/common/settings/auth.go

@@ -60,6 +60,8 @@ type OidcConfig struct {
 	UserIdentifier    string                `json:"userIdentifier"`    // the user identifier to use for authentication. Default is "username", can be "email" or "username", or "phone"
 	DisableVerifyTLS  bool                  `json:"disableVerifyTLS"`  // disable TLS verification for the OIDC provider. This is insecure and should only be used for testing.
 	LogoutRedirectUrl string                `json:"logoutRedirectUrl"` // if provider logout url is provided, filebrowser will also redirect to logout url. Custom logout query params are respected.
+	CreateUser        bool                  `json:"createUser"`        // create user if not exists
+	AdminGroup        string                `json:"adminGroup"`        // if set, users in this group will be granted admin privileges.
 	Provider          *oidc.Provider        `json:"-"`                 // OIDC provider
 	Verifier          *oidc.IDTokenVerifier `json:"-"`                 // OIDC verifier
 }

backend/http/oidc.go

@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 	"time"
 
@@ -18,11 +19,12 @@ import (
 
 // userInfo struct to hold user claims from either UserInfo or ID token
 type userInfo struct {
-	Name              string `json:"name"`
-	PreferredUsername string `json:"preferred_username"`
-	Email             string `json:"email"`
-	Sub               string `json:"sub"`
-	Phone             string `json:"phone_number"`
+	Name              string   `json:"name"`
+	PreferredUsername string   `json:"preferred_username"`
+	Email             string   `json:"email"`
+	Sub               string   `json:"sub"`
+	Phone             string   `json:"phone_number"`
+	Groups            []string `json:"groups"`
 }
 
 // oidcCallbackHandler handles the OIDC callback after the user authenticates with the provider.
@@ -174,9 +176,16 @@ func oidcCallbackHandler(w http.ResponseWriter, r *http.Request, d *requestConte
 		logger.Error("No valid username found in ID token or UserInfo response.")
 		return http.StatusInternalServerError, fmt.Errorf("no valid username found in ID token or UserInfo response from claims")
 	}
+	isAdmin := false // Default to non-admin user
+	if config.Auth.Methods.OidcAuth.AdminGroup != "" {
+		if slices.Contains(userdata.Groups, config.Auth.Methods.OidcAuth.AdminGroup) {
+			isAdmin = true // User is in the admin group, grant admin privileges
+			logger.Debugf("User %s is in admin group %s, granting admin privileges.", loginUsername, config.Auth.Methods.OidcAuth.AdminGroup)
+		}
+	}
 	// Proceed to log the user in with the OIDC data
 	// userdata struct now contains info from either verified ID token or UserInfo endpoint
-	return loginWithOidcUser(w, r, loginUsername)
+	return loginWithOidcUser(w, r, loginUsername, isAdmin)
 }
 
 // oidcLoginHandler redirects the user to the OIDC provider's authorization endpoint.
@@ -213,25 +222,28 @@ func oidcLoginHandler(w http.ResponseWriter, r *http.Request, d *requestContext)
 // loginWithOidcUser extracts the username from the user claims (userInfo)
 // based on the configured UserIdentifier and logs the user into the application.
 // It creates a new user if one doesn't exist.
-func loginWithOidcUser(w http.ResponseWriter, r *http.Request, username string) (int, error) {
-	logger.Debugf("Successfully authenticated OIDC username: %s", username)
+func loginWithOidcUser(w http.ResponseWriter, r *http.Request, username string, isAdmin bool) (int, error) {
+	logger.Debugf("Successfully authenticated OIDC username: %s isAdmin: %v", username, isAdmin)
 	// Retrieve the user from the store and store it in the context
 	user, err := store.Users.Get(username)
 	if err != nil {
 		if err.Error() != "the resource does not exist" {
 			return http.StatusInternalServerError, err
 		}
-
-		err = storage.CreateUser(users.User{
-			LoginMethod: users.LoginMethodOidc,
-			Username:    username,
-		}, false)
-		if err != nil {
-			return http.StatusInternalServerError, err
-		}
-		user, err = store.Users.Get(username)
-		if err != nil {
-			return http.StatusInternalServerError, err
+		if config.Auth.Methods.OidcAuth.CreateUser {
+			err = storage.CreateUser(users.User{
+				LoginMethod: users.LoginMethodOidc,
+				Username:    username,
+			}, isAdmin)
+			if err != nil {
+				return http.StatusInternalServerError, err
+			}
+			user, err = store.Users.Get(username)
+			if err != nil {
+				return http.StatusInternalServerError, err
+			}
+		} else {
+			return http.StatusForbidden, fmt.Errorf("user %s does not exist and createUser is disabled. Your admin needs to create your user before you can access this application", username)
 		}
 	}
 	if user.LoginMethod != users.LoginMethodOidc {

backend/swagger/docs/docs.go

@@ -1910,6 +1910,10 @@ const docTemplate = `{
         "settings.OidcConfig": {
             "type": "object",
             "properties": {
+                "adminGroup": {
+                    "description": "if set, users in this group will be granted admin privileges.",
+                    "type": "string"
+                },
                 "clientId": {
                     "description": "client id of the OIDC application",
                     "type": "string"
@@ -1918,6 +1922,10 @@ const docTemplate = `{
                     "description": "client secret of the OIDC application",
                     "type": "string"
                 },
+                "createUser": {
+                    "description": "create user if not exists",
+                    "type": "boolean"
+                },
                 "disableVerifyTLS": {
                     "description": "disable TLS verification for the OIDC provider. This is insecure and should only be used for testing.",
                     "type": "boolean"

backend/swagger/docs/swagger.json

@@ -1899,6 +1899,10 @@
         "settings.OidcConfig": {
             "type": "object",
             "properties": {
+                "adminGroup": {
+                    "description": "if set, users in this group will be granted admin privileges.",
+                    "type": "string"
+                },
                 "clientId": {
                     "description": "client id of the OIDC application",
                     "type": "string"
@@ -1907,6 +1911,10 @@
                     "description": "client secret of the OIDC application",
                     "type": "string"
                 },
+                "createUser": {
+                    "description": "create user if not exists",
+                    "type": "boolean"
+                },
                 "disableVerifyTLS": {
                     "description": "disable TLS verification for the OIDC provider. This is insecure and should only be used for testing.",
                     "type": "boolean"

backend/swagger/docs/swagger.yaml

@@ -209,12 +209,18 @@ definitions:
     type: object
   settings.OidcConfig:
     properties:
+      adminGroup:
+        description: if set, users in this group will be granted admin privileges.
+        type: string
       clientId:
         description: client id of the OIDC application
         type: string
       clientSecret:
         description: client secret of the OIDC application
         type: string
+      createUser:
+        description: create user if not exists
+        type: boolean
       disableVerifyTLS:
         description: disable TLS verification for the OIDC provider. This is insecure
           and should only be used for testing.

frontend/public/config.generated.yaml

@@ -69,6 +69,8 @@ auth:
       userIdentifier: ""                  # the user identifier to use for authentication. Default is "username", can be "email" or "username", or "phone"
       disableVerifyTLS: false             # disable TLS verification for the OIDC provider. This is insecure and should only be used for testing.
       logoutRedirectUrl: ""               # if provider logout url is provided, filebrowser will also redirect to logout url. Custom logout query params are respected.
+      createUser: false                   # create user if not exists
+      adminGroup: ""                      # if set, users in this group will be granted admin privileges.
   key: ""                                 # the key used to sign the JWT tokens. If not set, a random key will be generated.
   adminUsername: admin                    # the username of the admin user. If not set, the default is "admin".
   adminPassword: admin                    # the password of the admin user. If not set, the default is "admin".