Add OIDC authentication support

[anujc4]

First off, thanks for the awesome projet @dullage

This PR implements OIDC authentication as raised in issue #289.

I have tested this on my production flatnotes instance with Pocket ID and it works.

I went through the contributing guide and I am aware that you want to keep the project simple. I think having OIDC authentication is a good to have since password auth alone is nowhere secure (TOTP helps tho).

Happy to know your thoughts.

[anujc4]

I think this was my editor trying to be clever and formatted the markdown file, happy to revert back and just add my changes in.

[ablyes]

I will try with authentik this week.

[kimllee]

I have tried with Tinyauth for using Github's oauth2 (because Github doesn't support OIDC) and it's working fine. :)
The only "issue" is that the logout button isn't availablle anymore but with the session expiry set to 10min in Tinyauth, the session will be closed.

[anujc4]

Hi @dullage , any thoughts on this :)

[kimllee]

Hi @dullage , any thoughts on this :)

I have switched to Alexandrie (https://github.com/Smaug6739/Alexandrie)

[ablyes]

I tried to integrate the OIDC version with authentik.
The final step is not working.
The reidrection to /api/auth/oidc/login seems to be the blocker.
Authentik wants something similar, like this : /api/auth/oidc/callback
Is there a way to not hard code this value ?

[anujc4]

Authentik wants something similar, like this : /api/auth/oidc/callback
Is there a way to not hard code this value ?

AFAIK OIDC providers allow the users to configure the callback URL, and don't require them to be in a specific format. Mind sharing the error message you receive when triggering the oauth flow?

The HTTP route is hardcoded here, and has to be static.

[anujc4]

I have switched to Alexandrie (https://github.com/Smaug6739/Alexandrie)

Hmm this does seem tempting. I want a barebones no-nonsense simple notes keeping app, which flatnotes does wonderfully. The one good thing I see about Alexandrie though is that is can do hierarchal notes.

[dullage]

Hi @dullage , any thoughts on this :)

Hi @anujc4, sorry for the delayed response on this PR, and thanks for getting involved. Whilst I would be interested in supporting OICD, it's not something I've implemented in the past and therefore there's a fair bit of time needed for me to get up to speed and review the changes (which I notice also include new dependencies which I'll need to review).

Unfortunately, I don't get as much free time as I'd like to spend on flatnotes. But I am hoping to put some time aside in the not too distant future and will try and take a look at this then.

[ablyes]

Authentik wants something similar, like this : /api/auth/oidc/callback
Is there a way to not hard code this value ?

AFAIK OIDC providers allow the users to configure the callback URL, and don't require them to be in a specific format. Mind sharing the error message you receive when triggering the oauth flow?

The HTTP route is hardcoded here, and has to be static.

Yes, i saw the hardcoded path.

I did this kind of redirection, which works with Homarr (dashboard app)
URIs de redirection
regex: .*

It seems to not work with flatnotes, but i don't see why right now.

[ablyes]

Why don't we have in the docker file this kind of keys ?
AUTH_OIDC_ISSUER: "https://auth.xx.fr/application/o/homarr/"
AUTH_OIDC_URI: "https://auth.xx.fr/application/o/authorize/"

[ablyes]

It's working now... just the terms are quiet different from what i used to read/write, specially if you compare with Homarr application.

Here is the config that worked for me:
FLATNOTES_OIDC_PROVIDER_URL=https://auth.toto.com/application/o/flatnotes/
FLATNOTES_OIDC_REDIRECT_URI=https://note.toto.com/api/auth/oidc/callback