feat(mastodon): add OIDC login support

2022-08-26 18:02:33 +02:00 · 2022-08-26 18:02:33 +02:00 · 998d2a5f5e
commit 998d2a5f5e
parent 275976f1e6
2 changed files with 63 additions and 0 deletions
--- a/roles/mastodon/defaults/main.yml
+++ b/roles/mastodon/defaults/main.yml
@ -110,3 +110,24 @@ mastodon_s3_bucket: ~
 mastodon_s3_aws_access_key_id: ~
 mastodon_s3_aws_secret_access_key: ~
 mastodon_s3_alias_host: ~
+
+mastodon_oidc_enabled: false
+mastodon_oidc_issuer_url: ~
+mastodon_oidc_discovery: true
+mastodon_oidc_scope: openid,profile
+mastodon_oidc_client_id: ~
+mastodon_oidc_client_secret: ~
+mastodon_oidc_client_auth_method: basic
+mastodon_oidc_response_mode: query
+mastodon_oidc_response_type: code
+mastodon_oidc_prompt: ~
+mastodon_oidc_display_name: My IDP
+mastodon_oidc_auth_endpoint: ~
+mastodon_oidc_token_endpoint: ~
+mastodon_oidc_user_info_endpoint: ~
+mastodon_oidc_end_session_endpoint: ~
+mastodon_oidc_jwks_uri:
+mastodon_oidc_redirect_uri:
+mastodon_oidc_idp_logout_redirect_uri: ~
+mastodon_oidc_uid_field: preferred_username
+mastodon_oidc_security_assume_email_is_verified: false
--- a/roles/mastodon/templates/env.j2
+++ b/roles/mastodon/templates/env.j2
@ -51,8 +51,12 @@ ES_ENABLED={{ mastodon_elasticsearch_enabled }}
 ES_HOST={{ mastodon_elasticsearch_host }}
 ES_PORT={{ mastodon_elasticsearch_port }}
 # Authentication for ES (optional)
+{% if mastodon_elasticsearch_user %}
 ES_USER={{ mastodon_elasticsearch_user }}
+{% endif %}
+{% if mastodon_elasticsearch_pass %}
 ES_PASS={{ mastodon_elasticsearch_pass }}
+{% endif %}

 # Secrets
 # -------
@ -84,3 +88,41 @@ AWS_ACCESS_KEY_ID={{ mastodon_s3_aws_access_key_id }}
 AWS_SECRET_ACCESS_KEY={{ mastodon_s3_aws_secret_access_key }}
 S3_ALIAS_HOST={{ mastodon_s3_alias_host }}

+# OpenId connect (optional)
+OIDC_ENABLED={{ mastodon_oidc_enabled | bool | string | lower }}
+OIDC_ISSUER={{ mastodon_oidc_issuer_url }}
+OIDC_DISCOVERY={{ mastodon_oidc_discovery | bool | string | lower }}
+OIDC_CLIENT_AUTH_METHOD={{ mastodon_oidc_client_auth_method }}
+OIDC_CLIENT_ID={{ mastodon_oidc_client_id }}
+OIDC_CLIENT_SECRET={{ mastodon_oidc_client_secret }}
+OIDC_SCOPE={{ mastodon_oidc_scope }}
+{% if mastodon_oidc_auth_endpoint %}
+OIDC_AUTH_ENDPOINT={{ mastodon_oidc_auth_endpoint }}
+{% endif %}
+{% if mastodon_oidc_token_endpoint %}
+OIDC_TOKEN_ENDPOINT={{ mastodon_oidc_token_endpoint }}
+{% endif %}
+{% if mastodon_oidc_user_info_endpoint %}
+OIDC_USER_INFO_ENDPOINT={{ mastodon_oidc_user_info_endpoint }}
+{% endif %}
+{% if mastodon_oidc_end_session_endpoint %}
+OIDC_END_SESSION_ENDPOINT={{ mastodon_oidc_end_session_endpoint }}
+{% endif %}
+{% if mastodon_oidc_jwks_uri %}
+OIDC_JWKS_URI={{ mastodon_oidc_jwks_uri }}
+{% endif %}
+{% if mastodon_oidc_redirect_uri %}
+OIDC_REDIRECT_URI={{ mastodon_oidc_redirect_uri }}
+{% endif %}
+{% if mastodon_oidc_idp_logout_redirect_uri %}
+OIDC_IDP_LOGOUT_REDIRECT_URI={{ mastodon_oidc_idp_logout_redirect_uri }}
+{% endif %}
+OIDC_DISPLAY_NAME={{ mastodon_oidc_display_name }}
+OIDC_UID_FIELD={{ mastodon_oidc_uid_field }}
+{% if mastodon_oidc_response_mode %}
+OIDC_RESPONSE_MODE={{ mastodon_oidc_response_mode }}
+{% endif %}
+{% if mastodon_oidc_response_type %}
+OIDC_RESPONSE_TYPE={{ mastodon_oidc_response_type }}
+{% endif %}
+OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED={{ mastodon_oidc_security_assume_email_is_verified | bool | string | lower }}