starred/unifi-voucher-site-glenndehaan-4
1
0
Fork 0
mirror of https://github.com/glenndehaan/unifi-voucher-site.git synced 2026-04-05 08:53:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

Removed 'public' OIDC flow from application. Deprecated 'AUTH_OIDC_CLIENT_TYPE'. Removed 'AUTH_OIDC_CLIENT_TYPE' from documentation. Updated OIDC config checks. Removed 'AUTH_OIDC_CLIENT_TYPE' and 'public' OIDC flow references from README.md

Browse Source
This commit is contained in:
Glenn de Haan
2024-09-30 19:35:39 +02:00
parent 9e6eece08b
commit 4ad1b68161
10 changed files with 37 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.docs/oidc/authentik/README.md
View File

@@ -44,13 +44,12 @@
Now, configure your UniFi Voucher Site to use the Authentik client.
1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_CLIENT_TYPE` as `confidential`.
2. Set the `AUTH_OIDC_CLIENT_ID` as configured in Authentik (found in the Authentik provider configuration).
3. Provide the `AUTH_OIDC_CLIENT_SECRET` (found in the Authentik provider configuration).
4. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your Authentik provider.
1. Set the `AUTH_OIDC_CLIENT_ID` as configured in Authentik (found in the Authentik provider configuration).
2. Provide the `AUTH_OIDC_CLIENT_SECRET` (found in the Authentik provider configuration).
3. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your Authentik provider.
- You can find this under **Providers > unifi-voucher-provider > OpenID Configuration URL** in Authentik.
5. Provide the `AUTH_OIDC_APP_BASE_URL` from your UniFi Voucher Site instance (e.g., `https://voucher.example.com`).
6. Restart the container after these changes
4. Provide the `AUTH_OIDC_APP_BASE_URL` from your UniFi Voucher Site instance (e.g., `https://voucher.example.com`).
5. Restart the container after these changes
---
@@ -62,4 +61,4 @@ Now, configure your UniFi Voucher Site to use the Authentik client.
### Common Issues
- **Invalid Redirect URI**: Ensure the callback URI matches what is configured in Authentik.
- **Client Secret Errors** (for confidential clients): Double-check the client secret in both Authentik and your UniFi configuration.
- **Client Secret Errors**: Double-check the client secret in both Authentik and your UniFi configuration.

13
.docs/oidc/keycloak/README.md
View File

@@ -50,12 +50,11 @@ Youll see various tabs for configuring the client. Set the following fields:
Now, configure your UniFi Voucher Site to use the Keycloak client.
1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_CLIENT_TYPE` as `confidential`.
2. Set the `AUTH_OIDC_CLIENT_ID` as configured in Keycloak (e.g., `unifi-voucher-site`).
3. Provide the `AUTH_OIDC_CLIENT_SECRET` (found in the Credentials tab in Keycloak).
4. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your Keycloak server (e.g., `https://auth.example.com/realms/{realm}/.well-known/openid-configuration`).
5. Provide the `AUTH_OIDC_APP_BASE_URL` from your UniFi Voucher Site instance (e.g., `https://voucher.example.com`).
6. Restart the container after these changes
1. Set the `AUTH_OIDC_CLIENT_ID` as configured in Keycloak (e.g., `unifi-voucher-site`).
2. Provide the `AUTH_OIDC_CLIENT_SECRET` (found in the Credentials tab in Keycloak).
3. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your Keycloak server (e.g., `https://auth.example.com/realms/{realm}/.well-known/openid-configuration`).
4. Provide the `AUTH_OIDC_APP_BASE_URL` from your UniFi Voucher Site instance (e.g., `https://voucher.example.com`).
5. Restart the container after these changes
---
@@ -67,4 +66,4 @@ Now, configure your UniFi Voucher Site to use the Keycloak client.
### Common Issues
- **Invalid Redirect URI**: Ensure the callback URI matches what is configured in Keycloak.
- **Client Secret Errors** (for confidential clients): Double-check the client secret in both Keycloak and your UniFi configuration.
- **Client Secret Errors**: Double-check the client secret in both Keycloak and your UniFi configuration.

11
.docs/oidc/uid/README.md
View File

@@ -38,12 +38,11 @@
Now, configure your UniFi Voucher Site to use the UID client.
1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_CLIENT_TYPE` as `confidential`.
2. Set the `AUTH_OIDC_CLIENT_ID` as found within the UID Application.
3. Provide the `AUTH_OIDC_CLIENT_SECRET` as found within the UID Application.
4. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your UID domain (e.g., `https://your-site.ui.com/gw/idp/api/v1/public/oauth/your-secret-token/.well-known/openid-configuration`).
5. Provide the `AUTH_OIDC_APP_BASE_URL` from your UniFi Voucher Site instance (e.g., `https://voucher.example.com`).
6. Restart the container after these changes
1. Set the `AUTH_OIDC_CLIENT_ID` as found within the UID Application.
2. Provide the `AUTH_OIDC_CLIENT_SECRET` as found within the UID Application.
3. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your UID domain (e.g., `https://your-site.ui.com/gw/idp/api/v1/public/oauth/your-secret-token/.well-known/openid-configuration`).
4. Provide the `AUTH_OIDC_APP_BASE_URL` from your UniFi Voucher Site instance (e.g., `https://voucher.example.com`).
5. Restart the container after these changes
---

13
.docs/oidc/zitadel/README.md
View File

@@ -46,12 +46,11 @@ Now, create an application under the project you just created.
Now, configure your UniFi Voucher Site to use the ZITADEL client.
1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_CLIENT_TYPE` as `confidential`.
2. Set the `AUTH_OIDC_CLIENT_ID` as the ClientId found within the ZITADEL Popup.
3. Provide the `AUTH_OIDC_CLIENT_SECRET` as the ClientSecret found within the ZITADEL Popup.
4. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your Keycloak server (e.g., `https://auth.example.com/.well-known/openid-configuration`).
5. Provide the `AUTH_OIDC_APP_BASE_URL` from your UniFi Voucher Site instance (e.g., `https://voucher.example.com`).
6. Restart the container after these changes
1. Set the `AUTH_OIDC_CLIENT_ID` as the ClientId found within the ZITADEL Popup.
2. Provide the `AUTH_OIDC_CLIENT_SECRET` as the ClientSecret found within the ZITADEL Popup.
3. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your Keycloak server (e.g., `https://auth.example.com/.well-known/openid-configuration`).
4. Provide the `AUTH_OIDC_APP_BASE_URL` from your UniFi Voucher Site instance (e.g., `https://voucher.example.com`).
5. Restart the container after these changes
---
@@ -63,4 +62,4 @@ Now, configure your UniFi Voucher Site to use the ZITADEL client.
### Common Issues
- **Invalid Redirect URI**: Ensure the callback URI matches what is configured in ZITADEL.
- **Client Secret Errors** (for confidential clients): Ensure that the client secret in both ZITADEL and your UniFi configuration match.
- **Client Secret Errors**: Ensure that the client secret in both ZITADEL and your UniFi configuration match.

42
README.md
View File

@@ -84,9 +84,7 @@ services:
AUTH_OIDC_APP_BASE_URL: ''
# OIDC client id provided by oauth provider
AUTH_OIDC_CLIENT_ID: ''
# OIDC client type, public/confidential
AUTH_OIDC_CLIENT_TYPE: 'public'
# OIDC client secret provided by oauth provider (Only required when using confidential client type)
# OIDC client secret provided by oauth provider
AUTH_OIDC_CLIENT_SECRET: ''
# Disables the login/authentication for the portal and API
AUTH_DISABLE: 'false'
@@ -283,7 +281,7 @@ AUTH_INTERNAL_PASSWORD: '0000'
### 2. OpenID Connect (OIDC) Authentication
The UniFi Voucher Site allows seamless integration with OpenID Connect (OIDC), enabling users to authenticate through their preferred identity provider (IdP). With support for both Public and Confidential client types. Configuration is easy using environment variables to align with your existing OIDC provider.
The UniFi Voucher Site allows seamless integration with OpenID Connect (OIDC), enabling users to authenticate through their preferred identity provider (IdP). Configuration is easy using environment variables to align with your existing OIDC provider.
#### Configuration
@@ -298,28 +296,16 @@ To enable OIDC authentication, set the following environment variables in your a
- **`AUTH_OIDC_CLIENT_ID`**:
The client ID registered with your OIDC provider. This value is specific to the OIDC client created for the UniFi Voucher Site.
- **`AUTH_OIDC_CLIENT_TYPE`**:
Specify the type of OIDC client:
- **`public`**: Uses the Implicit flow (default).
- **`confidential`**: Uses the Authorization Code flow with client secret.
- **`AUTH_OIDC_CLIENT_SECRET`** (required if using the Confidential client type):
The client secret associated with your OIDC provider, necessary when using the Authorization Code flow.
- **`AUTH_OIDC_CLIENT_SECRET`**:
The client secret associated with your OIDC provider. This value is specific to the OIDC client created for the UniFi Voucher Site.
> Please note that **enabling OIDC support will automatically disable the built-in login system**. Once OIDC is activated, all user authentication will be handled through your configured identity provider, and the local login mechanism will no longer be available.
#### OIDC Client Configuration
When configuring your OIDC client, ensure the following settings are enabled based on your chosen client type:
- **Public Client (Implicit Flow)**: The OIDC client **must** support the Implicit flow. Be sure to enable both the ID token and access token retrieval.
- **Confidential Client (Authorization Code Flow)**: The client secret is required for secure token exchanges.
> Ensure your idP supports **Confidential Clients** with the **Authorization Code Flow**
#### Determine Supported Client Types
To identify which client types your OpenID Connect (OIDC) provider supports (Public or Confidential), you can check the `.well-known/openid-configuration` endpoint. This endpoint contains metadata about the OIDC provider, including the supported flows and grant types.
##### Steps to Check Supported Client Types
To identify which client types your OpenID Connect (OIDC) provider supports, you can check the `.well-known/openid-configuration` endpoint. This endpoint contains metadata about the OIDC provider, including the supported flows and grant types.
1. **Access the `.well-known/openid-configuration` URL:**
@@ -330,9 +316,7 @@ To identify which client types your OpenID Connect (OIDC) provider supports (Pub
2. **Look for the `grant_types_supported` Field:**
In the returned JSON, the `grant_types_supported` field will indicate the flows your provider supports:
- **For Public Clients (Implicit Flow):** Look for `implicit`.
- **For Confidential Clients (Authorization Code Flow):** Look for `authorization_code`.
In the returned JSON, the `grant_types_supported` field will indicate the flows your provider supports: Check if your response contains `authorization_code`.
Example snippet:
```json
@@ -346,22 +330,10 @@ To identify which client types your OpenID Connect (OIDC) provider supports (Pub
}
```
3. **Check the `response_types_supported` Field:**
This field also provides details on supported client types:
- **Implicit Flow:** Should include values like `id_token` or `id_token token`.
- **Authorization Code Flow:** Should include `code`.
4. **Verify Client Authentication Methods:**
For confidential clients, confirm that the `token_endpoint_auth_methods_supported` field lists options like `client_secret_post` or `client_secret_basic`, which indicate that the provider supports client secret authentication.
#### OIDC IdP Integration Guides
This section provides integration guides for configuring the UniFi Voucher Site with various OIDC (OpenID Connect) Identity Providers (IdPs). These guides cover the necessary steps for setting up the IdP, configuring client credentials, and integrating the IdP with the UniFi Voucher Site.
##### Available Guides
Below is a list of tested Identity Providers (IdPs) with detailed integration instructions:
- [Keycloak Integration](.docs/oidc/keycloak/README.md)

1
docker-compose.yml
View File

@@ -17,7 +17,6 @@ services:
AUTH_OIDC_ISSUER_BASE_URL: ''
AUTH_OIDC_APP_BASE_URL: ''
AUTH_OIDC_CLIENT_ID: ''
AUTH_OIDC_CLIENT_TYPE: 'public'
AUTH_OIDC_CLIENT_SECRET: ''
AUTH_DISABLE: 'false'
VOUCHER_TYPES: '480,1,,,;'

7
modules/info.js
View File

@@ -77,11 +77,8 @@ module.exports = () => {
/**
* Verify OIDC configuration
*/
if(variables.authOidcIssuerBaseUrl !== '' && (variables.authOidcAppBaseUrl === '' || variables.authOidcClientId === '')) {
log.error(`[OIDC] Incorrect Configuration Detected!. Verify 'AUTH_OIDC_ISSUER_BASE_URL', 'AUTH_OIDC_APP_BASE_URL' and 'AUTH_OIDC_CLIENT_ID' are set! Authentication will be unstable or disabled until issue is resolved!`);
}
if(variables.authOidcIssuerBaseUrl !== '' && variables.authOidcClientType === 'confidential' && variables.authOidcClientSecret === '') {
log.error(`[OIDC] Incorrect Configuration Detected!. Verify 'AUTH_OIDC_CLIENT_SECRET' is set! Authentication will be unstable or disabled until issue is resolved!`);
if(variables.authOidcIssuerBaseUrl !== '' && (variables.authOidcAppBaseUrl === '' || variables.authOidcClientId === '' || variables.authOidcClientSecret === '')) {
log.error(`[OIDC] Incorrect Configuration Detected!. Verify 'AUTH_OIDC_ISSUER_BASE_URL', 'AUTH_OIDC_APP_BASE_URL', 'AUTH_OIDC_CLIENT_ID' and 'AUTH_OIDC_CLIENT_SECRET' are set! Authentication will be unstable or disabled until issue is resolved!`);
}
/**

6
modules/oidc.js
View File

@@ -24,8 +24,8 @@ const settings = {
idpLogout: true,
authRequired: false,
authorizationParams: {
response_type: (variables.authOidcClientType === 'confidential') ? 'code' : 'id_token',
response_mode: (variables.authOidcClientType === 'confidential') ? 'query' : 'form_post',
response_type: 'code',
response_mode: 'query',
scope: 'openid profile email'
}
};
@@ -43,6 +43,6 @@ module.exports = {
settings.secret = crypto.randomBytes(20).toString('hex');
log.info(`[OIDC] Set secret: ${settings.secret}`);
app.use(oidc.auth(settings));
log.info(`[OIDC] Issuer: ${settings.issuerBaseURL}, Client: ${settings.clientID}, Type: ${variables.authOidcClientType}`);
log.info(`[OIDC] Issuer: ${settings.issuerBaseURL}, Client: ${settings.clientID}`);
}
};

1
modules/variables.js
View File

@@ -23,7 +23,6 @@ module.exports = {
authOidcIssuerBaseUrl: process.env.AUTH_OIDC_ISSUER_BASE_URL || '',
authOidcAppBaseUrl: process.env.AUTH_OIDC_APP_BASE_URL || '',
authOidcClientId: process.env.AUTH_OIDC_CLIENT_ID || '',
authOidcClientType: process.env.AUTH_OIDC_CLIENT_TYPE || 'public',
authOidcClientSecret: process.env.AUTH_OIDC_CLIENT_SECRET || '',
authDisabled: (process.env.AUTH_DISABLE === 'true') || false,
printerType: config('printer_type') || process.env.PRINTER_TYPE || '',

3
utils/array.js
View File

@@ -4,6 +4,7 @@
module.exports = {
deprecated: [
'SECURITY_CODE',
'DISABLE_AUTH'
'DISABLE_AUTH',
'AUTH_OIDC_CLIENT_TYPE'
]
};