OAuth setup with Kanidm 🦀

[ToxicMushroom]

Configuration Example (last updated for mealie v2.4.1, kanidm 1.4.5)

Kanidm
You need to create a public client:

1. kanidm system oauth2 create mealie Mealie https://mealie.example.com
2. kanidm system oauth2 add-redirect-url mealie https://mealie.example.com/login
3. kanidm system oauth2 prefer-short-username mealie
4. Add the groups you want
   • kanidm group create mealie_users
   • kanidm group create mealie_admins
5. Set scope maps for your groups
   • kanidm system oauth2 update-scope-map mealie mealie_users openid email profile groups
   • kanidm system oauth2 update-scope-map mealie mealie_admins openid email profile groups
6. get OIDC_CLIENT_SECRET: kanidm system oauth2 show-basic-secret mealie

Mealie
Add this to your env

     OIDC_AUTH_ENABLED: true
     OIDC_SIGNUP_ENABLED: true
     OIDC_CONFIGURATION_URL: https://idm.example.com/oauth2/openid/mealie/.well-known/openid-configuration
     OIDC_CLIENT_ID: mealie
     OIDC_CLIENT_SECRET: your_secret_from_step_6
     OIDC_PROVIDER_NAME: Kanidm
     OIDC_USER_CLAIM: preferred_username
     OIDC_USER_GROUP: mealie_users@idm.example.com
     OIDC_ADMIN_GROUP: mealie_admins@idm.example.com

See https://docs.mealie.io/documentation/getting-started/installation/backend-config/#openid-connect-oidc for more options

[notjosh]

fwiw, a couple of other useful commands, depending your situation:

• kanidm system oauth2 prefer-short-username mealie: I merged existing accounts via username (by default it's email afaict), so having it formatted as username instead of username@idm.example.com was useful
  • note, requires Mealie env var: OIDC_USER_CLAIM=preferred_username
• kanidm system oauth2 update-scope-map mealie mealie_users openid profile email groups: add groups to scopes, and map the admin account via env vars:
  • OIDC_USER_GROUP=mealie_users@idm.example.com
  • OIDC_ADMIN_GROUP=your_admins_group@idm.example.com

[Haennetz]

If you're missing the email claim and get a log message like this:

[OIDC] Required claims not present. Expected: {'email', 'preferred_username', 'name'} Actual: dict_keys(['iss', 'sub', 'aud', 'exp', 'nbf', 'iat', 'azp', 'name', 'preferred_username', 'scopes', 'groups'])

The user in kanidm is missing the mail attribute.

[0xC0ncord]

I found that for some reason Mealie would never get a JWT token containing the user's groups even if the groups claim was requested. If I set OIDC_USER_GROUP or OIDC_ADMIN_GROUP to any value, authentication would fail.

I was able to work around this by:

1. Creating a custom claim map for my users group and admin group:

$ kanidm system oauth2 update-claim-map mealie mealie_roles mealie_users users
$ kanidm system oauth2 update-claim-map mealie mealie_roles mealie_admins users admins

2. Add the custom claim to the scope map:

$ kanidm system oauth2 update-scope-map mealie openid profile email mealie_roles

3. Tell Mealie to use mealie_roles as the groups claim by setting OIDC_GROUPS_CLAIM=mealie_roles.

[D3an1el]

Mealie have added secrets in V2 >, you'll have to:

kanidm system oauth2 create mealie "mealie Production" https://mealie.example.com

and add in mealie env :

OIDC_CLIENT_SECRET v2.0.0> The client secret of your configured client in your provider

[ToxicMushroom]

thanks, I updated the original post for v2