diff --git a/docs/authentication.md b/docs/authentication.md index 8f53cff6..061eb3d1 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -251,6 +251,47 @@ Your app is now secured :) When you load Dashy, it will redirect to your Keycloa From within the Keycloak console, you can then configure things like time-outs, password policies, etc. You can also backup your full Keycloak config, and it is recommended to do this, along with your Dashy config. You can spin up both Dashy and Keycloak simultaneously and restore both applications configs using a `docker-compose.yml` file, and this is recommended. +## OIDC + +Dashy also supports using a general [OIDC compatible](https://openid.net/connect/) authentication server. In order to use it, the authentication section needs to be configured: + +```yaml +appConfig: + auth: + enableOidc: true + oidc: + clientId: [registered client id] + endpoint: [OIDC endpoint] +``` + +Because Dashy is a SPA, a [public client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1) registration with PKCE is needed. + +An example for Authelia is shared below, but other OIDC systems can be used: + +```yaml +identity_providers: + oidc: + clients: + - client_id: dashy + client_name: dashy + public: true + authorization_policy: 'one_factor' + require_pkce: true + pkce_challenge_method: 'S256' + redirect_uris: + - https://dashy.local # should point to your dashy endpoint + grant_types: + - authorization_code + scopes: + - 'openid' + - 'profile' + - 'roles' + - 'email' + - 'groups' +``` + +Groups and roles will be populated and available for controlling display similar to [Keycloak](#Keycloak) abvoe. + --- ## Alternative Authentication Methods diff --git a/docs/configuring.md b/docs/configuring.md index e29042aa..bc8721e9 100644 --- a/docs/configuring.md +++ b/docs/configuring.md @@ -158,6 +158,8 @@ The following file provides a reference of all supported configuration options. **`keycloak`** | `object` | _Optional_ | Config options to point Dashy to your Keycloak server. Requires `enableKeycloak: true`. See [`auth.keycloak`](#appconfigauthkeycloak-optional) for more info **`enableHeaderAuth`** | `boolean` | _Optional_ | If set to `true`, then authentication using HeaderAuth will be enabled. Note that you need to have your web server/reverse proxy running, and have also configured `auth.headerAuth`. Defaults to `false` **`headerAuth`** | `object` | _Optional_ | Config options to point Dashy to your headers for authentication. Requires `enableHeaderAuth: true`. See [`auth.headerAuth`](#appconfigauthheaderauth-optional) for more info +**`enableOidc`** | `boolean` | _Optional_ | If set to `true`, then authentication using OIDC will be enabled. Note that you need to have a configured OIDC server and configure it with `auth.oidc`. Defaults to `false` +**`oidc`** | `object` | _Optional_ | Config options to point Dash to your OIDC configuration. Request `enableOidc: true`. See [`auth.oidc`](#appconfigauthoidc-optional) for more info **`enableGuestAccess`** | `boolean` | _Optional_ | When set to `true`, an unauthenticated user will be able to access the dashboard, with read-only access, without having to login. Requires `auth.users` to be configured. Defaults to `false`. For more info, see the **[Authentication Docs](/docs/authentication)** @@ -194,6 +196,15 @@ For more info, see the **[Authentication Docs](/docs/authentication)** **[⬆️ Back to Top](#top)** +## `appConfig.auth.oidc` _(optional)_ + +**Field** | **Type** | **Required**| **Description** +--- | --- | --- | --- +**`clientId`** | `string` | Required | The client id registered in the OIDC server +**`endpoint`** | `string` | Required | The URL of the OIDC server that should be used. + +**[⬆️ Back to Top](#top)** + ## `appConfig.webSearch` _(optional)_ **Field** | **Type** | **Required**| **Description**