Merge pull request #3323 from cmintey/authelia-docs-update

OIDC Docs Updates

docs/docs/documentation/getting-started/authentication/oidc.md

@@ -1,6 +1,6 @@
 # OpenID Connect (OIDC) Authentication
 
-Mealie supports 3rd party authentication via [OpenID Connect (OIDC)](https://openid.net/connect/), an identity layer built on top of OAuth2. OIDC is supported by many identity providers, including:
+Mealie supports 3rd party authentication via [OpenID Connect (OIDC)](https://openid.net/connect/), an identity layer built on top of OAuth2. OIDC is supported by many Identity Providers (IdP), including:
 
 - [Authentik](https://goauthentik.io/integrations/sources/oauth/#openid-connect)
 - [Authelia](https://www.authelia.com/configuration/identity-providers/open-id-connect/)
@@ -13,7 +13,7 @@ Signing in with OAuth will automatically find your account in Mealie and link to
 
 ## Provider Setup
 
-Before you can start using OIDC Authentication, you must first configure a new client application in your identity provider. Your identity provider must support the OAuth **Authorization Code** flow (with PKCE). The steps will vary by provider, but generally, the steps are as follows.
+Before you can start using OIDC Authentication, you must first configure a new client application in your identity provider. Your identity provider must support the OAuth **Authorization Code flow with PKCE**. The steps will vary by provider, but generally, the steps are as follows.
 
 1. Create a new client application
     - The Provider type should be OIDC or OAuth2
@@ -23,9 +23,13 @@ Before you can start using OIDC Authentication, you must first configure a new c
 
 2. Configure redirect URI
 
-    The only redirect URI that is needed is `http(s)://DOMAIN:PORT/login`
+    The redirect URI(s) that are needed:
 
-    The redirect URI should include any URL that Mealie is accessible from. Some examples include
+    1. `http(s)://DOMAIN:PORT/login`
+    2. `https(s)://DOMAIN:PORT/login?direct=1`
+        1. This URI is only required if your IdP supports [RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) such as Keycloak. You may also be able to combine this into the previous URI by using a wildcard: `http(s)://DOMAIN:PORT/login*`
+
+    The redirect URI(s) should include any URL that Mealie is accessible from. Some examples include
 
         http://localhost:9091/login
         https://mealie.example.com/login
@@ -44,45 +48,6 @@ Take the client id and your discovery URL and update your environment variables
 
 ## Examples
 
-### Authelia
+Example configurations for several Identity Providers have been provided by the Community in the [GitHub Discussions](https://github.com/mealie-recipes/mealie/discussions/categories/oauth-provider-example).
 
-Follow the instructions in [Authelia's documentation](https://www.authelia.com/configuration/identity-providers/open-id-connect/). Below is an example config.
+If you don't see your provider and have successfully set it up, please consider [creating your own example](https://github.com/mealie-recipes/mealie/discussions/new?category=oauth-provider-example) so that others can have a smoother setup.
-
-!!! warning
-
-    This is only an example and not meant to be an exhaustive configuration. You should read through the documentation and adjust your configuration as needed.
-
-```yaml
-identity_providers:
-  oidc:
-    access_token_lifespan: 1h
-    authorize_code_lifespan: 1m
-    id_token_lifespan: 1h
-    refresh_token_lifespan: 90m
-    enable_client_debug_messages: false
-    enforce_pkce: public_clients_only
-    cors:
-      endpoints:
-        - authorization
-        - token
-        - revocation
-        - introspection
-      allowed_origins:
-        - https://mealie.example.com
-      allowed_origins_from_client_redirect_uris: false
-    clients:
-      - id: mealie
-        description: Mealie
-        authorization_policy: one_factor
-        redirect_uris:
-          - https://mealie.example.com/login
-        public: true
-        grant_types:
-          - authorization_code
-        scopes:
-          - openid
-          - profile
-          - groups
-          - email
-          - offline_access
-```

docs/docs/documentation/getting-started/installation/backend-config.md

@@ -85,8 +85,8 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc.md)
 | OIDC_SIGNUP_ENABLED | True | Enables new users to be created when signing in for the first time with OIDC |
 | OIDC_CONFIGURATION_URL | None | The URL to the OIDC configuration of your provider. This is usually something like https://auth.example.com/.well-known/openid-configuration |
 | OIDC_CLIENT_ID | None | The client id of your configured client in your provider |
-| OIDC_USER_GROUP| None | If specified, this group must be present in the user's group claim in order to authenticate |
+| OIDC_USER_GROUP| None | If specified, only users belonging to this group will be able to successfully authenticate, regardless of the OIDC_ADMIN_GROUP |
-| OIDC_ADMIN_GROUP | None | If this group is present in the group claims, the user will be set as an admin |
+| OIDC_ADMIN_GROUP | None | If specified, users belonging to this group will be made an admin |
 | OIDC_AUTO_REDIRECT | False | If `True`, then the login page will be bypassed an you will be sent directly to your Identity Provider. You can still get to the login page by adding `?direct=1` to the login URL |
 | OIDC_PROVIDER_NAME | OAuth | The provider name is shown in SSO login button. "Login with <OIDC_PROVIDER_NAME\>" |
 | OIDC_REMEMBER_ME | False | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked |

docs/mkdocs.yml

@@ -41,7 +41,8 @@ markdown_extensions:
       custom_checkbox: true
   - admonition
   - attr_list
-  - pymdownx.tabbed
+  - pymdownx.tabbed:
+      alternate_style: true
   - pymdownx.superfences:
       custom_fences:
         - name: mermaid