diff options
| author |  Daenney <daenney@users.noreply.github.com> | 2023-02-25 17:37:39 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2023-02-25 16:37:39 +0000 |
| commit | 9cfb69f75d3eb422e61de14d5090ea96d541bae9 (patch) | |
| tree | 7ad1093ddee3d336f6b87ba1f408fdbf3d49d8a6 /docs/configuration | |
| parent | [feature] Client API endpoints + v. basic web view for pinned posts (#1547) (diff) | |
| download | gotosocial-9cfb69f75d3eb422e61de14d5090ea96d541bae9.tar.xz | |
[feature] Make OIDC admin groups configurable (#1555)
This removes the current default of checking for membership of the admin
or admins group and makes it required to explicitly configure which
groups should grant admin access, if any.
Relying on the implicit default of admin or admins is potentially
dangerous as that group may contain a different subset of people that we
may wish to grant admin access to GtS. This is probably not an issue for
a single-person instance, but for a community instance different admin
groups may exist in an OIDC provider for different applications.
I'm explicitly opting for not defaulting the value of oidc-admin-groups
to admin,admins because I think it's better for those things to be
explicitly configured.
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/oidc.md | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/docs/configuration/oidc.md b/docs/configuration/oidc.md index c5ac4a6ef..9018b5887 100644 --- a/docs/configuration/oidc.md +++ b/docs/configuration/oidc.md @@ -60,7 +60,7 @@ oidc-client-secret: "" # Array of string. Scopes to request from the OIDC provider. The returned values will be used to # populate users created in GtS as a result of the authentication flow. 'openid' and 'email' are required. # 'profile' is used to extract a username for the newly created user. -# 'groups' is optional and can be used to determine if a user is an admin (if they're in the group 'admin' or 'admins'). +# 'groups' is optional and can be used to determine if a user is an admin based on oidc-admin-groups. # Examples: See eg., https://auth0.com/docs/scopes/openid-connect-scopes # Default: ["openid", "email", "profile", "groups"] oidc-scopes: @@ -75,6 +75,12 @@ oidc-scopes: # Options: [true, false] # Default: false oidc-link-existing: false + +# Array of string. If the returned ID token contains a 'groups' claim that +# matches one of the groups in oidc-admin-groups, then this user will be granted +# admin rights on the GtS instance +# Default: [] +oidc-admin-groups: [] ``` ## Behavior @@ -101,7 +107,7 @@ access to your GtS account. Most OIDC providers allow for the concept of groups and group memberships in returned claims. GoToSocial can use group membership to determine whether or not a user returned from an OIDC flow should be created as an admin account or not. -If the returned OIDC groups information for a user contains membership of the groups `admin` or `admins`, then that user will be created/signed in as though they are an admin. +If the returned OIDC groups information for a user contains membership of the groups configured in `oidc-admin-groups`, then that user will be created/signed in as though they are an admin. ## Migrating from old versions |