Replies: 4 comments 2 replies
-
|
Broadly these changes make sense to me. I also agree that now is a good time for breaking changes with V2 coming. I'm not a regular OIDC user, though, so I don't have much to say on the actual changes themselves. |
Beta Was this translation helpful? Give feedback.
-
|
Regarding Point 2, Authelia's dev believes the current Mealie OIDC system would be the correct method of implementing the OpenID Connect specifications:
While Authelia ultimately added support for RBAC for OIDC clients, it might be worth considering what's the most compliant implementation. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for that tidbit. I’m certainly not opposed to leaving that feature in as it is currently optional (originally it wasn’t) and just hardening the docs surrounding the feature |
Beta Was this translation helpful? Give feedback.
-
|
Makes sense. I won't pretend to have any knowledge about the OIDC spec, I just happened to run across that issue yesterday while troubleshooting a client that doesn't support the |
Beta Was this translation helpful? Give feedback.
-
|
I don't use or have any experience with OIDC, so I have nothing to really weigh in with, but just wanted to say I love the consultation @cmintey ❤️ |
Beta Was this translation helpful? Give feedback.
-
|
I think 1. is definitely a good thing to implement. |
Beta Was this translation helpful? Give feedback.
-
Earlier this year, Mealie gained support for authentication via OAuth using OpenIdConnect (OIDC). The implementation came with some confusions from the community surrounding the group permissions and the fact that a client secret was not required and all calls were done through the browser (thus causing issues with CSRF).
With Mealie v2 on the horizon, this brings the opportunity for breaking changes. I have some ideas for a v2 implementation of OAuth authentication that would simplify the setup and make it more in line with how other self-hosted applications implement it. This of course would come with a few breaking changes.
Breaking Changes
1. Require a client secret
This would mean that all requests and auth processing would happen server-side and would no longer be relying on the browser making requests. This would make it so CSRF is no longer an issue. Additionally, IdPs (like Google) which do not support the Authorization Code flow without a client_secret paramter would now work with Mealie.
2. Remove
OIDC_USER_GROUPandOIDC_ADMIN_GROUPThese two configuration options end up causing a lot of confusing during the authentication process. With v2 introducing Households, I imagine this will become an even larger point of confusion.
I suggest we remove them and let the IdP handle access control. This would also remove the need for the
groupsscope. Of course this means that you could no longer configure a user as an admin via your IdP (though this can still be done manually within Mealie).What benefits do these changes provide?
Potential Enhancements
Specify which group a user is added to in Mealie via the IdP
Some self-hosted applications have the idea of groups and can handle adding a user to a group during the authentication process. The way this is accomplished in Vikunja, for example, is by using a custom claim
vikunja_groupswhich contains the group name and an identifier for creating groups. This idea could be utilized by Mealie and users could be automatically added to groups and/or householdsFinal Thoughts
Breaking changes are never fun, but are sometimes required for better outcomes. The above changes are minimal and should not be perceivable from an end-user perspective, but will hopefully reduce headaches during the initial setup. It would also make Mealie's implementation more similar to other self-hosted services.
I would like to hear the communities thoughts if this is a desirable change or if the current implementation is "good enough" and don't want to have such a breaking change.
Beta Was this translation helpful? Give feedback.
All reactions