authelia: add extraOidcAuthorizationPolicies option

This is needed for example to only authorize users of a given group to access a service.
Usually, the application itself enforces this but some don't.
This commit is contained in:
ibizaman 2025-09-29 20:56:09 +02:00 committed by Pierre Penninckx
parent 5b40cf3707
commit 139ceca768
2 changed files with 11 additions and 1 deletions

View file

@ -80,6 +80,9 @@
"blocks-authelia-options-shb.authelia.extraDefinitions": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.extraDefinitions"
],
"blocks-authelia-options-shb.authelia.extraOidcAuthorizationPolicies": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.extraOidcAuthorizationPolicies"
],
"blocks-authelia-options-shb.authelia.extraOidcClaimsPolicies": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.extraOidcClaimsPolicies"
],

View file

@ -157,6 +157,12 @@ in
default = {};
};
extraOidcAuthorizationPolicies = lib.mkOption {
description = "Extra OIDC authorization policies.";
type = lib.types.attrsOf lib.types.attrs;
default = {};
};
extraDefinitions = lib.mkOption {
description = "Extra definitions.";
type = lib.types.attrsOf lib.types.attrs;
@ -216,7 +222,7 @@ in
};
authorization_policy = lib.mkOption {
type = lib.types.enum [ "one_factor" "two_factor" ];
type = lib.types.enum ([ "one_factor" "two_factor" ] ++ lib.attrNames cfg.extraOidcAuthorizationPolicies);
description = "Require one factor (password) or two factor (device) authentication.";
default = "one_factor";
};
@ -491,6 +497,7 @@ in
default.id_token = [ "email" "preferred_username" "name" "groups" ];
} // cfg.extraOidcClaimsPolicies;
scopes = cfg.extraOidcScopes;
authorization_policies = cfg.extraOidcAuthorizationPolicies;
};
} // lib.optionalAttrs (cfg.extraDefinitions != {}) {
definitions = cfg.extraDefinitions;