From 5f995e82dffe8e61d4c860c0254d84d4663ab318 Mon Sep 17 00:00:00 2001 From: ibizaman Date: Tue, 29 Jul 2025 23:56:23 +0200 Subject: [PATCH] add back info into authelia id token --- docs/redirects.json | 3 +++ modules/blocks/authelia.nix | 30 ++++++++++++++++++------------ 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/docs/redirects.json b/docs/redirects.json index f419149..762e1b6 100644 --- a/docs/redirects.json +++ b/docs/redirects.json @@ -101,6 +101,9 @@ "blocks-authelia-options-shb.authelia.oidcClients._.authorization_policy": [ "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.authorization_policy" ], + "blocks-authelia-options-shb.authelia.oidcClients._.claims_policy": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.claims_policy" + ], "blocks-authelia-options-shb.authelia.oidcClients._.client_id": [ "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_id" ], diff --git a/modules/blocks/authelia.nix b/modules/blocks/authelia.nix index 83fff94..6de9eef 100644 --- a/modules/blocks/authelia.nix +++ b/modules/blocks/authelia.nix @@ -209,6 +209,17 @@ in example = [ "openid" "profile" "email" "groups" ]; default = []; }; + + claims_policy = lib.mkOption { + type = lib.types.str; + description = '' + Claim policy. + + Defaults to 'default' to provide a backwards compatible experience. + Read [this document](https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter) for more information. + ''; + default = "default"; + }; }; }); }; @@ -367,25 +378,20 @@ in disable = "false"; }; ldap = { - implementation = "custom"; + implementation = "lldap"; address = "ldap://${cfg.ldapHostname}:${toString cfg.ldapPort}"; timeout = "5s"; start_tls = "false"; base_dn = cfg.dcdomain; - additional_users_dn = "ou=people"; - # Sign in with username or email. - users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"; - additional_groups_dn = "ou=groups"; - groups_filter = "(member={dn})"; + # TODO: use user with less privilege and with lldap_password_manager group to be able to change passwords. user = "uid=admin,ou=people,${cfg.dcdomain}"; - attributes = { - username = "uid"; - group_name = "cn"; - mail = "mail"; - display_name = "displayName"; - }; }; }; + # This should go away at some point. + # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter + identity_providers.oidc = { + claims_policies.default.id_token = [ "email" "preferred_username" "name" "groups" ]; + }; totp = { disable = "false"; issuer = fqdnWithPort;