From 183ab09daabefd4848d8b22766fec7ec0cc3e1c7 Mon Sep 17 00:00:00 2001 From: Luke Vella Date: Sun, 26 Nov 2023 13:08:42 +0700 Subject: [PATCH] =?UTF-8?q?=F0=9F=93=9D=20Update=20SSO=20docs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/docs/mint.json | 9 ++- .../self-hosting/configuration-options.mdx | 46 +------------- apps/docs/self-hosting/single-sign-on.mdx | 62 +++++++++++++++++++ apps/web/declarations/environment.d.ts | 4 -- apps/web/src/utils/constants.ts | 6 +- turbo.json | 1 - 6 files changed, 75 insertions(+), 53 deletions(-) create mode 100644 apps/docs/self-hosting/single-sign-on.mdx diff --git a/apps/docs/mint.json b/apps/docs/mint.json index f48338c30..2f4a047f8 100644 --- a/apps/docs/mint.json +++ b/apps/docs/mint.json @@ -62,11 +62,14 @@ { "icon": "bolt", "group": "Get Started", - "pages": ["self-hosting/docker-compose"] + "pages": [ + "self-hosting/docker-compose", + "self-hosting/single-sign-on", + "self-hosting/configuration-options" + ] }, "self-hosting/pricing", - "self-hosting/managed-hosting", - "self-hosting/configuration-options" + "self-hosting/managed-hosting" ] }, { diff --git a/apps/docs/self-hosting/configuration-options.mdx b/apps/docs/self-hosting/configuration-options.mdx index 350158fe9..2a3c7e2ca 100644 --- a/apps/docs/self-hosting/configuration-options.mdx +++ b/apps/docs/self-hosting/configuration-options.mdx @@ -69,48 +69,6 @@ These variables need to be configured to let Rallly send out transactional email Enable TLS for your SMTP connection -### Single Sign On (SSO) with OpenID Connect (OIDC) +### Single Sign On (SSO) -To enable SSO with an OIDC compliant identity provider you will need to configure the following variables. - - - Must be set to `true` to enable OIDC Login - - - - The user-facing name of your provider as it will be shown on the login page - - - - URL of the `.well-known/openid-configuration` endpoint for your OIDC provider - - - - The client ID of your OIDC application - - - - The client secret of your OIDC application - - -#### Required Scopes - -The following scopes are required for OIDC to function properly. - -- `openid`: Essential for OIDC to function, used to perform authentication. -- `profile`: Access to the user's personal information such as name and picture. -- `email`: Access to the user's email address. - -#### Callback URL / Redirect URI - -The callback URL for your OIDC application must be set to: - -``` -{NEXT_PUBLIC_BASE_URL}/api/auth/callback/oidc -``` - - - Replace `{NEXT_PUBLIC_BASE_URL}` with the base URL of your Rallly instance. - - -Ensure this URL is added to the list of allowed redirect URIs in your OIDC provider's application settings. +Go to [Single Sign On](/self-hosting/sso) for information on how to configure SSO. diff --git a/apps/docs/self-hosting/single-sign-on.mdx b/apps/docs/self-hosting/single-sign-on.mdx new file mode 100644 index 000000000..1ddbcf12c --- /dev/null +++ b/apps/docs/self-hosting/single-sign-on.mdx @@ -0,0 +1,62 @@ +--- +icon: key +title: Single Sign On (SSO) +description: How to use your own identity provider +--- + +Available in v3.4.0 and later. + + +#### Account Linking + +Accounts using the same email are linked together. This assumes +that you are using a trusted identity provider that uses verified email +addresses. + + + +## OpenID Connect (OIDC) + +If your identity provider supports OAuth 2.0 based authentication with OpenID Connect (OIDC), you can use it to authenticate users on your Rallly instance. + +### Required Scopes + +Your OAuth 2.0 application needs to be configured with the following scopes: + +- `openid`: Essential for OIDC to function, used to perform authentication. +- `profile`: Access to the user's personal information such as name and picture. +- `email`: Access to the user's email address. + +### Callback URL / Redirect URI + +Your identity provider will redirect the user back to the following URL: + +``` +{BASE_URL}/api/auth/callback/oidc +``` + + + Replace `{BASE_URL}` with the base URL of your Rallly instance and add it to + the list of allowed redirect URIs. + + +### Configuration + +The following configuration options are available for OIDC. +All required fields must be set for OIDC to be enabled. + + + The user-facing name of your provider as it will be shown on the login page + + + + URL of the `.well-known/openid-configuration` endpoint for your OIDC provider + + + + The client ID of your OIDC application + + + + The client secret of your OIDC application + diff --git a/apps/web/declarations/environment.d.ts b/apps/web/declarations/environment.d.ts index ed96abbe1..c1f850939 100644 --- a/apps/web/declarations/environment.d.ts +++ b/apps/web/declarations/environment.d.ts @@ -64,10 +64,6 @@ declare global { * Determines what email provider to use. "smtp" or "ses" */ EMAIL_PROVIDER?: "smtp" | "ses"; - /** - * Set to "true" to enable OIDC authentication - */ - OIDC_ENABLED?: string; /** * Name of the oidc provider */ diff --git a/apps/web/src/utils/constants.ts b/apps/web/src/utils/constants.ts index 7af61492c..fe72560ca 100644 --- a/apps/web/src/utils/constants.ts +++ b/apps/web/src/utils/constants.ts @@ -13,6 +13,10 @@ export const monthlyPriceUsd = 7; export const annualPriceUsd = 42; export const appVersion = process.env.NEXT_PUBLIC_APP_VERSION; -export const isOIDCEnabled = process.env.OIDC_ENABLED === "true"; +export const isOIDCEnabled = Boolean( + process.env.OIDC_DISCOVERY_URL && + process.env.OIDC_CLIENT_ID && + process.env.OIDC_CLIENT_SECRET, +); export const oidcName = process.env.OIDC_NAME ?? "OpenID Connect"; diff --git a/turbo.json b/turbo.json index 36b2783e8..519d7ae20 100644 --- a/turbo.json +++ b/turbo.json @@ -85,7 +85,6 @@ "NEXT_PUBLIC_VERCEL_URL", "NODE_ENV", "NOREPLY_EMAIL", - "OIDC_ENABLED", "OIDC_NAME", "OIDC_DISCOVERY_URL", "OIDC_CLIENT_ID",