diff --git a/docs/redirects.json b/docs/redirects.json index d2209d8..b9f92bb 100644 --- a/docs/redirects.json +++ b/docs/redirects.json @@ -80,6 +80,9 @@ "blocks-authelia-options-shb.authelia.extraDefinitions": [ "blocks-authelia.html#blocks-authelia-options-shb.authelia.extraDefinitions" ], + "blocks-authelia-options-shb.authelia.extraOidcAuthorizationPolicies": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.extraOidcAuthorizationPolicies" + ], "blocks-authelia-options-shb.authelia.extraOidcClaimsPolicies": [ "blocks-authelia.html#blocks-authelia-options-shb.authelia.extraOidcClaimsPolicies" ], diff --git a/modules/blocks/authelia.nix b/modules/blocks/authelia.nix index a6a88fa..daf5f98 100644 --- a/modules/blocks/authelia.nix +++ b/modules/blocks/authelia.nix @@ -157,6 +157,12 @@ in default = {}; }; + extraOidcAuthorizationPolicies = lib.mkOption { + description = "Extra OIDC authorization policies."; + type = lib.types.attrsOf lib.types.attrs; + default = {}; + }; + extraDefinitions = lib.mkOption { description = "Extra definitions."; type = lib.types.attrsOf lib.types.attrs; @@ -216,7 +222,7 @@ in }; authorization_policy = lib.mkOption { - type = lib.types.enum [ "one_factor" "two_factor" ]; + type = lib.types.enum ([ "one_factor" "two_factor" ] ++ lib.attrNames cfg.extraOidcAuthorizationPolicies); description = "Require one factor (password) or two factor (device) authentication."; default = "one_factor"; }; @@ -491,6 +497,7 @@ in default.id_token = [ "email" "preferred_username" "name" "groups" ]; } // cfg.extraOidcClaimsPolicies; scopes = cfg.extraOidcScopes; + authorization_policies = cfg.extraOidcAuthorizationPolicies; }; } // lib.optionalAttrs (cfg.extraDefinitions != {}) { definitions = cfg.extraDefinitions;