Docker/mealie
Docker/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-07-24 23:59:45 +02:00
Code Issues Releases Activity
mealie/docs/docs/documentation/getting-started/authentication/oidc.md
boc-the-git 73dfb523ec
Fix typos (#3285)
2024-03-11 09:08:32 +00:00

3.2 KiB
Raw Blame History

OpenID Connect (OIDC) Authentication

Mealie supports 3rd party authentication via OpenID Connect (OIDC), an identity layer built on top of OAuth2. OIDC is supported by many identity providers, including:

Account Linking

Signing in with OAuth will automatically find your account in Mealie and link to it. If a user does not exist in Mealie, then one will be created (if enabled), but will be unable to log in with any other authentication method. An admin can configure another authentication method for such a user.

Provider Setup

Before you can start using OIDC Authentication, you must first configure a new client application in your identity provider. Your identity provider must support the OAuth Authorization Code flow (with PKCE). The steps will vary by provider, but generally, the steps are as follows.

  1. Create a new client application

    • The Provider type should be OIDC or OAuth2
    • The Grant type should be Authorization Code
    • The Application type should be Web
    • The Client type should be public

  2. Configure redirect URI

    The only redirect URI that is needed is http(s)://DOMAIN:PORT/login

    The redirect URI should include any URL that Mealie is accessible from. Some examples include

     http://localhost:9091/login
 https://mealie.example.com/login

  3. Configure origins

    If your identity provider enforces CORS on any endpoints, you will need to specify your Mealie URL as an Allowed Origin.

  4. Configure allowed scopes

    The scopes required are openid profile email groups

Mealie Setup

Take the client id and your discovery URL and update your environment variables to include the required OIDC variables described in Installation - Backend Configuration.

Examples

Authelia

Follow the instructions in Authelia's documentation. Below is an example config.

!!! warning

This is only an example and not meant to be an exhaustive configuration. You should read through the documentation and adjust your configuration as needed.

identity_providers:
  oidc:
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: false
    enforce_pkce: public_clients_only
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - https://mealie.example.com
      allowed_origins_from_client_redirect_uris: false
    clients:
      - id: mealie
        description: Mealie
        authorization_policy: one_factor
        redirect_uris:
          - https://mealie.example.com/login
        public: true
        grant_types:
          - authorization_code
        scopes:
          - openid
          - profile
          - groups
          - email
          - offline_access