OIDC: Add additional config options and OAuth2 API endpoints #782

Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-12-12 00:34:13 +01:00 · 2024-06-26 14:05:58 +02:00
parent 7af4a1741b
commit c0ea3c79a3
24 changed files with 287 additions and 101 deletions
--- a/internal/api/oauth_authorize.go
+++ b/internal/api/oauth_authorize.go
@@ -0,0 +1,46 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/photoprism/photoprism/internal/event"
+	"github.com/photoprism/photoprism/internal/get"
+	"github.com/photoprism/photoprism/pkg/authn"
+	"github.com/photoprism/photoprism/pkg/header"
+	"github.com/photoprism/photoprism/pkg/i18n"
+)
+
+// OAuthAuthorize is a starting point for browser-based OpenID Connect flows.
+//
+// GET /api/v1/oauth/authorize
+func OAuthAuthorize(router *gin.RouterGroup) {
+	router.GET("/oauth/authorize", func(c *gin.Context) {
+		// Prevent CDNs from caching this endpoint.
+		if header.IsCdn(c.Request) {
+			AbortNotFound(c)
+			return
+		}
+
+		// Disable caching of responses.
+		c.Header(header.CacheControl, header.CacheControlNoStore)
+
+		// Get client IP address for logs and rate limiting checks.
+		clientIp := ClientIP(c)
+		actor := "unknown client"
+		action := "authorize"
+
+		// Abort if running in public mode.
+		if get.Config().Public() {
+			event.AuditErr([]string{clientIp, "oauth2", actor, action, authn.ErrDisabledInPublicMode.Error()})
+			Abort(c, http.StatusForbidden, i18n.ErrForbidden)
+			return
+		}
+
+		// TODO
+
+		// Send response.
+		c.JSON(http.StatusOK, gin.H{"status": StatusSuccess})
+	})
+}