feat: Add OIDC_USER_CLAIM (#3422)

* feat: Add OIDC_USER_CLAIM * fix: add validation
2025-05-24 01:12:54 -04:00 · 2024-04-04 16:16:54 -05:00 · 2024-04-04 16:16:54 -05:00 · 1099e30a1d
commit 1099e30a1d
parent fa9a2d64f7
3 changed files with 6 additions and 2 deletions
--- a/docs/docs/documentation/getting-started/installation/backend-config.md
+++ b/docs/docs/documentation/getting-started/installation/backend-config.md
@ -96,6 +96,7 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc.md)
 | OIDC_PROVIDER_NAME     |  OAuth  | The provider name is shown in SSO login button. "Login with <OIDC_PROVIDER_NAME\>"                                                                                                                        |
 | OIDC_REMEMBER_ME       |  False  | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked |
 | OIDC_SIGNING_ALGORITHM |  RS256  | The algorithm used to sign the id token (examples: RS256, HS256)                                                                                                                                          |
+| OIDC_USER_CLAIM | email | Optional: 'email', 'preferred_username'

 ### Themeing

--- a/mealie/core/security/providers/openid_provider.py
+++ b/mealie/core/security/providers/openid_provider.py
@ -34,7 +34,7 @@ class OpenIDProvider(AuthProvider[OIDCRequest]):

        repos = get_repositories(self.session)

-        user = self.try_get_user(claims.get("email"))
+        user = self.try_get_user(claims.get(settings.OIDC_USER_CLAIM))
        group_claim = claims.get("groups", [])
        is_admin = settings.OIDC_ADMIN_GROUP in group_claim if settings.OIDC_ADMIN_GROUP else False
        is_valid_user = settings.OIDC_USER_GROUP in group_claim if settings.OIDC_USER_GROUP else True
--- a/mealie/core/settings/settings.py
+++ b/mealie/core/settings/settings.py
@ -183,6 +183,7 @@ class AppSettings(BaseSettings):
    OIDC_PROVIDER_NAME: str = "OAuth"
    OIDC_REMEMBER_ME: bool = False
    OIDC_SIGNING_ALGORITHM: str = "RS256"
+    OIDC_USER_CLAIM: str = "email"

    @property
    def OIDC_READY(self) -> bool:
@ -190,7 +191,9 @@ class AppSettings(BaseSettings):

        required = {self.OIDC_CLIENT_ID, self.OIDC_CONFIGURATION_URL}
        not_none = None not in required
-        return self.OIDC_AUTH_ENABLED and not_none
+        valid_user_claim = self.OIDC_USER_CLAIM in ["email", "preferred_username"]
+
+        return self.OIDC_AUTH_ENABLED and not_none and valid_user_claim

    # ===============================================
    # Testing Config