Fallenbagel · michaelhthomas · Jul 11, 2022 · Jul 11, 2022 · Jul 11, 2022 · Jul 15, 2022
@@ -141,7 +141,7 @@ location ^~ /overseerr {
     sub_filter '\/_next' '\/$app\/_next';
     sub_filter '/_next' '/$app/_next';
     sub_filter '/api/v1' '/$app/api/v1';
-    sub_filter '/login/plex/loading' '/$app/login/plex/loading';
+    sub_filter '/login/popup/loading' '/$app/login/popup/loading';
     sub_filter '/images/' '/$app/images/';
     sub_filter '/android-' '/$app/android-';
     sub_filter '/apple-' '/$app/apple-';

@@ -80,6 +80,68 @@ When disabled, Plex OAuth becomes the only sign-in option, and any "local users"
 
 This setting is **enabled** by default.
 
+### Enable Media Server Sign-In
+
+When enabled, users will be able to sign in on the login screen using their Plex / Jellyfin accounts.
+
+When disabled, local sign-in will be the only option.
+
+This setting is **enabled** by default.
+
+### Enable OIDC Sign-In
+
+When enabled, allows users to sign in to local accounts using an OIDC identity provider, which requires additional configuration.
+
+For this setting to function properly, the OIDC Issuer URL, Provider Name, Client ID, and Client Secret must all be properly set.
+
+This setting is **disabled** by default.
+
+### OIDC Settings
+
+#### Issuer URL
+
+Sets the base URL of the identity provider's OpenID Connect endpoint. A valid URL for this setting should have a discovery endpoint at `/.well-known/openid-configuration` as outlined in the [OpenID Connect Discovery specification](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig).
+
+#### Provider Name
+
+Sets the name that should be shown for the OIDC login option on the login screen.
+
+For example, setting the Provider Name option to "My Incredible Login Page" would make a button with the text "Sign in with My Incredible Login Page" appear on the login page.
+
+#### Client ID
+
+Sets the client ID Jellyseerr should use when communicating with the configured identity provider.
+
+#### Client Secret
+
+Sets the client secret Jellyseerr should use when communicating with the configured identity provider.
+
+#### Scopes
+
+Sets the scopes that should be requested from the identity provider when logging in, as described in the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims). This is an advanced setting, and the default value (`email openid profile`) should be sufficient for most configurations.
+
+#### Identification Claims
+
+Sets the string-typed claims that should be used to identify a user. These claims are matched to the user's unique identifier (email). This is an advanced setting, and the default value (`email`) should be sufficient for most configurations.
+
+#### Required Claims
+
+Sets the boolean-typed claims that should be required for a user to successfully log in. This is an advanced setting, and the default value (`email_verified`) should be sufficient for most configurations. If requiring a verified email address is not desired, it is possible to leave this field blank.
+
+#### Allow Plex / Jellyfin Usernames
+
+When enabled, a user's identification claims are matched not only against their email, but against their Plex / Jellyfin username. This is an advanced setting, and enabling it will likely result in reduced security due to the ease of changing / spoofing usernames.
+
+This setting may be helpful, however, for scenarios when the OpenID connect provider and Plex / Jellyfin's usernames are equivalent for all users. It may be helpful to add `preferred_username` or another of the [standard OpenID Connect claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) to the [Identification Claims](#identification-claims) setting to enable matching Plex / Jellyfin usernames to the usernames obtained from the identity provider.
+
+This setting is **disabled** by default.
+
+#### Automatic Login
+
+When enabled, OpenID Connect authentication will replace the built-in authentication mechanism. The login page will automatically redirect to the OpenID Connect identity provider, and logging out will trigger an OpenID Connect logout flow. This setting may only be enabled if OIDC Sign-In is the only enabled authentication mechanism.
+
+This setting is **disabled** by default.
+
 ### Enable New Plex Sign-In
 
 When enabled, users with access to your Plex server will be able to sign in to Overseerr even if they have not yet been imported. Users will be automatically assigned the permissions configured in the [Default Permissions](#default-permissions) setting upon first sign-in.

@@ -132,6 +132,36 @@ components:
           type: string
         originalLanguage:
           type: string
+    OidcSettings:
+      type: object
+      properties:
+        providerName:
+          type: string
+          example: Keycloak
+        providerUrl:
+          type: string
+          example: https://auth.example.com
+        clientId:
+          type: string
+          example: your-client-id
+        clientSecret:
+          type: string
+          example: your-client-secret
+        userIdentifier:
+          type: string
+          example: email
+        requiredClaims:
+          type: string
+          example: email_verified
+        scopes:
+          type: string
+          example: id email
+        matchJellyfinUsername:
+          type: boolean
+          example: false
+        automaticLogin:
+          type: boolean
+          example: false
     MainSettings:
       type: object
       properties:
@@ -162,6 +192,14 @@ components:
         localLogin:
           type: boolean
           example: true
+        mediaServerLogin:
+          type: boolean
+          example: true
+        oidcLogin:
+          type: boolean
+          example: true
+        oidc:
+          $ref: '#/components/schemas/OidcSettings'
         mediaServerType:
           type: number
           example: 1
@@ -3699,6 +3737,79 @@ paths:
                   type: string
               required:
                 - password
+  /auth/oidc-login:
+    get:
+      security: []
+      summary: Redirect to the OpenID Connect provider
+      description: Constructs the redirect URL to the OpenID Connect provider, and redirects the user to it.
+      tags:
+        - auth
+      responses:
+        '302':
+          description: Redirect to the authentication url for the OpenID Connect provider
+          headers:
+            Location:
+              schema:
+                type: string
+                example: https://example.com/auth/oidc/callback?response_type=code&client_id=client_id&redirect_uri=https%3A%2F%2Fexample.com%2Fauth%2Foidc%2Fcallback&scope=openid%20email&state=state
+            Set-Cookie:
+              schema:
+                type: string
+                example: 'oidc-state=123456789; HttpOnly; max-age=60000; Secure'
+  /auth/oidc-callback:
+    get:
+      security: []
+      summary: The callback endpoint for the OpenID Connect provider redirect
+      description: Takes the `code` and `state` parameters from the OpenID Connect provider, and exchanges them for a token.
+      x-allow-unknown-query-parameters: true
+      parameters:
+        - in: query
+          name: code
+          required: true
+          schema:
+            type: string
+            example: '123456789'
+        - in: query
+          name: state
+          required: true
+          schema:
+            type: string
+            example: '123456789'
+        - in: cookie
+          name: oidc-state
+          required: true
+          schema:
+            type: string
+            example: '123456789'
+      tags:
+        - auth
+      responses:
+        '302':
+          description: A redirect to the home page if successful or back to the login page if not
+          headers:
+            Location:
+              schema:
+                type: string
+                example: /
+            Set-Cookie:
+              schema:
+                type: string
+                example: 'oidc-state=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT'
+  /auth/oidc-logout:
+    get:
+      security: []
+      summary: Redirect to the OpenID Connect provider logout page
+      description: Determines the logout redirect URL for to the OpenID Connect provider, and redirects the user to it.
+      tags:
+        - auth
+      responses:
+        '302':
+          description: Redirect to the logout url for the OpenID Connect provider
+          headers:
+            Location:
+              schema:
+                type: string
+                example: https://example.com/auth/oidc/invalidate_session
   /user:
     get:
       summary: Get all users

@@ -61,6 +61,7 @@
     "formik": "2.2.9",
     "gravatar-url": "3.1.0",
     "intl": "1.2.5",
+    "jwt-decode": "^3.1.2",
     "lodash": "4.17.21",
     "next": "12.3.4",
     "node-cache": "5.1.2",

@@ -24,6 +24,7 @@ import {
   PrimaryGeneratedColumn,
   RelationCount,
   UpdateDateColumn,
+  type FindOperator,
 } from 'typeorm';
 import Issue from './Issue';
 import { MediaRequest } from './MediaRequest';
@@ -51,7 +52,12 @@ export class User {
     unique: true,
     transformer: {
       from: (value: string): string => (value ?? '').toLowerCase(),
-      to: (value: string): string => (value ?? '').toLowerCase(),
+      to: (
+        value: string | FindOperator<string>
+      ): string | FindOperator<string> => {
+        if (typeof value === 'string') return (value ?? '').toLowerCase();
+        return value;
+      },
     },
   })
   public email: string;