diff --git a/INSTALLING.md b/INSTALLING.md index 82041e3d0..77065924d 100644 --- a/INSTALLING.md +++ b/INSTALLING.md @@ -119,3 +119,7 @@ For example, if your library is split into multiples paths you can edit the `vol You can also edit the volume definition to use advanced volume drivers if you need to access smb or network drives. Mounting a drive into your filesystem and binding it in this volume section is also a valid choice (especially for fuse filesystems like cloud drives for example). Don't forget to **also edit the scanner's volumes** if you edit the transcoder's volume. + +# OpenID Connect + +Kyoo supports OpenID Connect (OIDC) for authentication. Please refer to the [OIDC.md](OIDC.md) file for more information. diff --git a/OIDC.md b/OIDC.md new file mode 100644 index 000000000..4d86bdaba --- /dev/null +++ b/OIDC.md @@ -0,0 +1,64 @@ +# OpenID Connect + +Kyoo supports OpenID Connect (OIDC) for authentication. This allows you to use your existing identity provider to authenticate users in Kyoo. + +## Configuration + +To enable OIDC, you need to fill the following environment variables in your `.env` file: + +```env +PUBLIC_URL=https://your-kyoo-instance.com +OIDC__NAME= +OIDC__LOGO=https://url-of-your-logo.com +OIDC__CLIENTID= +OIDC__SECRET= +OIDC__AUTHORIZATION=https://url-of-the-authorization-endpoint-of-the-oidc-service.com/auth +OIDC__TOKEN=https://url-of-the-token-endpoint-of-the-oidc-service.com/token +OIDC__PROFILE=https://url-of-the-profile-endpoint-of-the-oidc-service.com/userinfo +OIDC__SCOPE="email openid profile" +OIDC__AUTHMETHOD=ClientSecretBasic +``` + +- `PUBLIC_URL` is the URL of your Kyoo instance. This is required for OIDC to work. +- `` is the name of the OIDC provider. It can be anything you want. This will be the display name of the OIDC provider on the login page. +- `OIDC__LOGO` is the URL of the logo of the OIDC provider. It will be displayed on the login page. +- `OIDC__CLIENTID` is the client ID of the OIDC provider. +- `OIDC__SECRET` is the client secret of the OIDC provider. +- `OIDC__AUTHORIZATION` is the URL of the authorization endpoint of the OIDC provider. +- `OIDC__TOKEN` is the URL of the token endpoint of the OIDC provider. +- `OIDC__PROFILE` is the URL of the profile endpoint of the OIDC provider. +- `OIDC__SCOPE` is the scope of the OIDC provider. This is a space-separated list of scopes. +- `OIDC__AUTHMETHOD` is the authentication method of the OIDC provider. This can be `ClientSecretBasic` or `ClientSecretPost`. + +## Example + +### Google OIDC + +To enable Google OIDC, please follow the instructions from the [Google Developers](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid) to create a new project and get the client ID and secret. + +When creating the Oauth 2.0 Client ID, make sure to add the following redirect URI: `https://your-kyoo-instance.com/api/auth/logged/google`. + +For the authorized JavaScript origins, add `https://your-kyoo-instance.com`. + +Then, fill the following environment variables in your `.env` file: + +```env +PUBLIC_URL=https://your-kyoo-instance.com +OIDC_GOOGLE_NAME=Google +OIDC_GOOGLE_LOGO=https://logo.clearbit.com/google.com +OIDC_GOOGLE_CLIENTID= # the client ID you got from Google +OIDC_GOOGLE_SECRET= # the client secret you got from Google +OIDC_GOOGLE_AUTHORIZATION=https://accounts.google.com/o/oauth2/auth +OIDC_GOOGLE_TOKEN=https://oauth2.googleapis.com/token +OIDC_GOOGLE_PROFILE=https://www.googleapis.com/oauth2/v2/userinfo +OIDC_GOOGLE_SCOPE="email openid profile" +OIDC_GOOGLE_AUTHMETHOD=ClientSecretPost +``` + +### Another OIDC providers + +To enable another OIDC provider, just fill the environment variables with the information you got from the provider. + +Remember that when `` is `XYZ`, the environment variables should start with `OIDC_XYZ_`. + +In that case, the callback URL will be `https://your-kyoo-instance.com/api/auth/logged/xyz`.