johanels/photoprism
1
0
Fork 0
mirror of https://github.com/photoprism/photoprism.git synced 2025-12-12 00:34:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

OIDC: Merge groups, add inline code docs, and improve README.md #5334

Browse Source 
Signed-off-by: Michael Mayer <michael@photoprism.app>
This commit is contained in:
Michael Mayer
2025-11-27 12:02:57 +01:00
parent 9d378f2041
commit 6c50ee0ade
2 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
internal/api/oidc_redirect.go
View File

@@ -109,10 +109,13 @@ func OIDCRedirect(router *gin.RouterGroup) {
groups, groupOverage := oidc.GroupsFromClaims(idTokenClaims, groupClaim)
moreGroups, moreOverage := oidc.GroupsFromClaims(userInfo.Claims, groupClaim)
if len(groups) == 0 && len(moreGroups) > 0 {
groups = moreGroups
// Merge groups, since some IDPs split memberships across ID tokens and user info.
// Appending is safe because downstream helpers normalize and deduplicate.
if len(moreGroups) > 0 {
groups = append(groups, moreGroups...)
}
// "Overage" means the IdP omitted some or all groups because the user has too many; tokens carry a marker (`_claim_names.groups`).
if moreOverage {
groupOverage = true
}
@@ -122,7 +125,7 @@ func OIDCRedirect(router *gin.RouterGroup) {
if len(requiredGroups) > 0 {
switch {
case groupOverage && len(groups) == 0:
message := "group claim overage; cannot validate required groups"
message := "IdP omitted some or all groups; cannot validate required groups"
event.AuditErr([]string{clientIp, "create session", "oidc", message})
event.LoginError(clientIp, "oidc", userName, userAgent, message)
c.HTML(http.StatusUnauthorized, "auth.gohtml", CreateSessionError(http.StatusUnauthorized, i18n.Error(i18n.ErrForbidden)))

2
internal/auth/oidc/README.md
View File

@@ -74,7 +74,7 @@ Integration Guide for Entra ID:
2. Redirect URI: add `https://app.localssl.dev/api/v1/oidc/redirect` (for Traefik) or `http://localhost:2342/api/v1/oidc/redirect` for local dev.
3. Token configuration → **Add optional claim****Token type** = ID (and Access if you prefer) → **Groups** → choose **Security groups**.
4. Under “Emit groups as”, pick **Group name** (cloud-only) or **sAMAccountName** / **DNSDomainName\sAMAccountName** for synced AD; this makes tokens carry human-friendly names instead of GUIDs.
5. If you keep **Group ID**, leave PhotoPrism config in GUID mode; if you emit names, set `PHOTOPRISM_OIDC_GROUP` / `PHOTOPRISM_OIDC_GROUP_ROLE` to those names (lowercase in config for consistency).
5. If you keep **Group ID**, leave PhotoPrism config in GUID mode; if you emit names, set `PHOTOPRISM_OIDC_GROUP` / `PHOTOPRISM_OIDC_GROUP_ROLE` to those names (lowercase in config for consistency). When Microsoft signals group **overage** (too many groups to fit in the token), it sets `_claim_names.groups` and may omit groups entirely; PhotoPrism will currently block login if required groups are configured and no groups are present.
6. Grant admin consent for the chosen scopes (at minimum `openid profile email`, plus `offline_access` if you need refresh tokens).
7. Configure PhotoPrism (example `.env-oidc` with placeholder secrets):
```