feat: assign users to teams via OIDC claims (#1393)

This change adds the ability to sync teams via a custom openid claim. Vikunja will automatically create and delete teams as necessary, it will also add and remove users when they log in. These teams are fully managed by Vikunja and cannot be updated by a user. Co-authored-by: kolaente <k@knt.li> Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/1393 Resolves https://kolaente.dev/vikunja/vikunja/issues/1279 Resolves https://github.com/go-vikunja/vikunja/issues/42 Resolves https://kolaente.dev/vikunja/vikunja/issues/950 Co-authored-by: viehlieb <pf@pragma-shift.net> Co-committed-by: viehlieb <pf@pragma-shift.net>
2024-03-02 08:47:10 +00:00
parent f18cde269b
commit ed4da96ab1
26 changed files with 686 additions and 32 deletions
--- a/config.yml.sample
+++ b/config.yml.sample
@ -6,7 +6,7 @@ service:
  # The duration of the issued JWT tokens in seconds.
  # The default is 259200 seconds (3 Days).
  jwtttl: 259200
-  # The duration of the "remember me" time in seconds. When the login request is made with 
+  # The duration of the "remember me" time in seconds. When the login request is made with
  # the long param set, the token returned will be valid for this period.
  # The default is 2592000 seconds (30 Days).
  jwtttllong: 2592000
@ -48,7 +48,7 @@ service:
  # If enabled, vikunja will send an email to everyone who is either assigned to a task or created it when a task reminder
  # is due.
  enableemailreminders: true
-  # If true, will allow users to request the complete deletion of their account. When using external authentication methods 
+  # If true, will allow users to request the complete deletion of their account. When using external authentication methods
  # it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
  # for user deletion.
  enableuserdeletion: true
@ -109,7 +109,7 @@ database:
 typesense:
  # Whether to enable the Typesense integration. If true, all tasks will be synced to the configured Typesense
  # instance and all search and filtering will run through Typesense instead of only through the database.
-  # Typesense allows fast fulltext search including fuzzy matching support. It may return different results than 
+  # Typesense allows fast fulltext search including fuzzy matching support. It may return different results than
  # what you'd get with a database-only search.
  enabled: false
  # The url to the Typesense instance you want to use. Can be hosted locally or in Typesense Cloud as long
@ -203,7 +203,7 @@ ratelimit:
  # Possible values are "keyvalue", "memory" or "redis".
  # When choosing "keyvalue" this setting follows the one configured in the "keyvalue" section.
  store: keyvalue
-  # The number of requests a user can make from the same IP to all unauthenticated routes (login, register, 
+  # The number of requests a user can make from the same IP to all unauthenticated routes (login, register,
  # password confirmation, email verification, password reset request) per minute. This limit cannot be disabled.
  # You should only change this if you know what you're doing.
  noauthlimit: 10
@ -325,6 +325,10 @@ auth:
        clientid:
        # The client secret used to authenticate Vikunja at the OpenID Connect provider.
        clientsecret:
+        # The scope necessary to use oidc.
+        # If you want to use the Feature to create and assign to vikunja teams via oidc, you have to add the custom "vikunja_scope" and check [openid.md](https://vikunja.io/docs/openid/).
+        # e.g. scope: openid email profile vikunja_scope
+        scope: openid email profile

 # Prometheus metrics endpoint
 metrics: