-
-
Notifications
You must be signed in to change notification settings - Fork 300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement] OpenID Connect/SSO support #1844
Comments
Hi, There was a request for for LDAP integration but it ended up being rejected because the author was not complying to our phpstan requests and testing. :( We do support Header Auth token (if generated by Lychee), but this requires pre-regisration. I would also suggest you also have a look at: You will still need to create a user in the Lychee DB (either on successful login to the SSO system) in order to track the rights, that will be the way to define whether admin access are provided or not. |
@ildyria great news, thanks for letting me know. Sorry I didn't get the chance to take a look at implementing it! I'll give the PR a test. |
To clarify this still requires the user to have an account and then we link it. |
This is a valuable addition for having SSO. it does no longer require you to add a new user beforehand. I have tested this with my Keycloak environment. It works just fine. Now only if I would have user group support where I just have to add the new user to a group to give access to multiple albums, that would be awesome! I do understand the warning about "shooting yourself in the foot" when using other, public OIDC authentication mechanisms. Anyone can log in and create an account. |
I have Google OAuth2 setup and can authenticate to Lychee successfully. My understanding is that we need to create a Lychee account first, then a user can click on the G icon and authenticate via OAuth. I have the following defaults:
I can authenticate with Google even if I dont have a Lychee account created. Also it looks like the admin account since I can view Settings etc. What could I be missing? Thanks. |
wohowowowo
Yes.
That would be BAD. Let me check. |
Can you check in the admin user profile panel what is in the "Set up Oauth authentication" part. |
It shows 'Set up Google', I click on it then it says 'Google token registered (reset)'
I tested with Github Oauth and get the same behaviour. I can authenticate with my Github account without an established Lychee account as admin. I've tried incognito mode and on mobile phone with the same result. There must be something wrong in my config attached maybe? In my .env not sure if this is related?
and the Oauth config looks like this
|
It literally says here that the google token is linked. Just click reset and it will be fine. |
When you click on set up the connection, you are linking the account to your google account! |
OK. This is point that I was missing. Updated flow:
I can confirm it's working great. Thank you! |
Is there any plan or want for implementing SSO or another method of automatic external authentication like header auth?
I'm happy to write the feature and raise a PR for this, but am a little unsure on how to handle the 'administrator' access level, as from the current implementation there is only one, whereas with a third party IDP you could potentially have a group of administrators.
The text was updated successfully, but these errors were encountered: