patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

fix: kanidm strict redirect uri

Browse source
This commit is contained in:
Patrick 2024-11-11 17:24:26 +01:00
parent 4cb6de6563
commit 6322469cd2
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
3 changed files with 26 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
config/services/kanidm.nix
View file

@ -83,7 +83,7 @@ in
};
systems.oauth2.paperless = {
displayName = "paperless";
originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/";
originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/accounts/oidc/kanidm/login/callback/";
originLanding = "https://ppl.${config.secrets.secrets.global.domains.web}/";
basicSecretFile = config.age.secrets.oauth2-paperless.path;
scopeMaps."paperless.access" = [
@ -124,7 +124,7 @@ in
};
systems.oauth2.immich = {
displayName = "Immich";
originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/";
originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/auth/login";
originLanding = "https://immich.${config.secrets.secrets.global.domains.web}/";
basicSecretFile = config.age.secrets.oauth2-immich.path;
allowInsecureClientDisablePkce = true;
@ -146,7 +146,7 @@ in
systems.oauth2.oauth2-proxy = {
displayName = "Oauth2-Proxy";
originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/oauth2/callback";
originLanding = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
basicSecretFile = config.age.secrets.oauth2-proxy.path;
scopeMaps."adguardhome.access" = [
@ -199,7 +199,7 @@ in
};
systems.oauth2.forgejo = {
displayName = "Forgejo";
originUrl = "https://forge.${config.secrets.secrets.global.domains.web}/";
originUrl = "https://forge.${config.secrets.secrets.global.domains.web}/user/oauth2/kanidm/callback";
originLanding = "https://forge.${config.secrets.secrets.global.domains.web}/";
basicSecretFile = config.age.secrets.oauth2-forgejo.path;
scopeMaps."forgejo.access" = [

21
patches/PR/355216.diff Normal file
View file

@ -0,0 +1,21 @@
diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
index a368b6eee2a6e..96f6e23740c80 100644
--- a/nixos/modules/services/security/kanidm.nix
+++ b/nixos/modules/services/security/kanidm.nix
@@ -502,13 +502,13 @@ in
};
originUrl = mkOption {
- description = "The origin URL of the service. OAuth2 redirects will only be allowed to sites under this origin. Must end with a slash.";
+ description = "The origin URL of the service. OAuth2 redirects will only need to either exactly match or match this origin depending on wether strict-redirect is enabled.";
type =
let
- originStrType = types.strMatching ".*://.*/$";
+ originStrType = types.strMatching ".*://.*$";
in
types.either originStrType (types.nonEmptyListOf originStrType);
- example = "https://someservice.example.com/";
+ example = "https://someservice.example.com/auth/login";
};
originLanding = mkOption {

2
pkgs/scripts/fetch-prs.sh
View file

@ -1,5 +1,5 @@
# dependencies: wcurl
PRS=("354038")
PRS=("354038" "355216")
if [ ! -f flake.nix ]; then
echo "Not in a flake top level"