[Enhancement] OpenID Connect/SSO support

[dan-r]

Is there any plan or want for implementing SSO or another method of automatic external authentication like header auth?

I'm happy to write the feature and raise a PR for this, but am a little unsure on how to handle the 'administrator' access level, as from the current implementation there is only one, whereas with a third party IDP you could potentially have a group of administrators.

[ildyria]

Hi,

There was a request for for LDAP integration but it ended up being rejected because the author was not complying to our phpstan requests and testing. :(

We do support Header Auth token (if generated by Lychee), but this requires pre-regisration.

I would also suggest you also have a look at:
https://laravel.com/docs/10.x/socialite
and
#792

You will still need to create a user in the Lychee DB (either on successful login to the SSO system) in order to track the rights, that will be the way to define whether admin access are provided or not.

[ildyria]

@dan-r FYI #2190 will provide Oauth support to major providers (Amazon, Facebook, Google, GitHub, NextCloud, Mastodon, Microsoft).

[dan-r]

@ildyria great news, thanks for letting me know. Sorry I didn't get the chance to take a look at implementing it! I'll give the PR a test.

[ildyria]

To clarify this still requires the user to have an account and then we link it.
But now that the ground work is laid down, it should be easy to add a setting to allow creation of accounts on Oauth authentication.

[ildyria]

@dan-r Check out #2475 (though untested)

[jsaathof]

This is a valuable addition for having SSO. it does no longer require you to add a new user beforehand. I have tested this with my Keycloak environment. It works just fine. Now only if I would have user group support where I just have to add the new user to a group to give access to multiple albums, that would be awesome!

I do understand the warning about "shooting yourself in the foot" when using other, public OIDC authentication mechanisms. Anyone can log in and create an account.

[hhanzo1]

I have Google OAuth2 setup and can authenticate to Lychee successfully.

My understanding is that we need to create a Lychee account first, then a user can click on the G icon and authenticate via OAuth.

I have the following defaults:

oauth_create_user_on_first_attempt 0
oauth_grant_new_user_upload_rights 0
oauth_grant_new_user_modification_rights 0

I can authenticate with Google even if I dont have a Lychee account created. Also it looks like the admin account since I can view Settings etc.

What could I be missing?

Thanks.

[ildyria]

wohowowowo

My understanding is that we need to create a Lychee account first, then a user can click on the G icon and authenticate via OAuth.

Yes.

I can authenticate with Google even if I dont have a Lychee account created. Also it looks like the admin account since I can view Settings etc.

That would be BAD.

Let me check.

[ildyria]

I can authenticate with Google even if I dont have a Lychee account created. Also it looks like the admin account since I can view Settings etc.

Can you check in the admin user profile panel what is in the "Set up Oauth authentication" part.
I am not able to reproduce your bug with my GitHub Oauth.

[hhanzo1]

Can you check in the admin user profile panel what is in the "Set up Oauth authentication" part.

It shows 'Set up Google', I click on it then it says 'Google token registered (reset)'

I am not able to reproduce your bug with my GitHub Oauth.

I'll test again today and will test with Github Oauth then report back.

I tested with Github Oauth and get the same behaviour. I can authenticate with my Github account without an established Lychee account as admin. I've tried incognito mode and on mobile phone with the same result.

There must be something wrong in my config attached maybe?

lychee-diag.txt

In my .env not sure if this is related?

SECURITY_HEADER_HSTS_ENABLE=false
SECURITY_HEADER_CSP_CONNECT_SRC=
SECURITY_HEADER_SCRIPT_SRC_ALLOW=
SESSION_SECURE_COOKIE=false

and the Oauth config looks like this

GITHUB_CLIENT_ID=********************
GITHUB_CLIENT_SECRET=*******************************
GITHUB_REDIRECT_URI=/auth/github/redirect

GOOGLE_CLIENT_ID=*********************************************.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-****************************
GOOGLE_REDIRECT_URI=/auth/google/redirect

[ildyria]

It shows 'Set up Google', I click on it then it says 'Google token registered (reset)'

It literally says here that the google token is linked. Just click reset and it will be fine.

[ildyria]

When you click on set up the connection, you are linking the account to your google account!
Like this is the INTENDED behavior.

[hhanzo1]

When you click on set up the connection, you are linking the account to your google account!
Like this is the INTENDED behavior.

OK. This is point that I was missing.

Updated flow:

1. Add a new local account and password
2. Authenticate with new local account <-- critical step
3. Choose U2F then select Set up Google
4. Logout
5. Authenticate with Google by clicking on the G

I can confirm it's working great.

Thank you!