Optionally disable local login now that OIDC is in

[inappropriate-horse]

Many thanks for OIDC! Works perfectly with Authentik (and I no longer need to scramble to remember another password).

Would it be worthwhile to have an env variable to disable non-OIDC login?

[nicotsx]

@inappropriate-horse yes indeed this would be useful

[arcoast]

I would also love this, and being cheeky and adding to the wishlist:

Being able to configure it all through environmental variables would be amazing, as well as being able to assign permissions, ie admin or user, based on OIDC groups would also be phenomenal.

I've set it up with Authelia though and it's working great for me.

Here's the config.

      - client_id: zerobyte
        client_name: Zerobyte
        client_secret: {{ secret "/deploy/secrets/CLIENT_SECRET_ZEROBYTE" }}
        public: false
        authorization_policy: two_factor
        consent_mode: implicit
        scopes:
          - openid
          - groups
          - email
          - profile
        redirect_uris:
          - https://zerobyte.{{ env "DOMAIN" }}/api/auth/sso/callback/Authelia
        userinfo_signed_response_alg: none

In addition, I needed to add this environmental variable to my compose file to

services:
    zerobyte:
        environment:
            - TRUSTED_ORIGINS=DOMAIN.COM

[AlexRooted]

Hey, new here and trying to implement Pocket-id auth with OIDC. Can anybody point me in the direction/ resource to configure this?
Would be greatly appreciated!!!
Thanks!

[janreinhardt]

@AlexRooted Have you figured it out yet?
I have got that same setup and I could post 2 screenshots to help.

[AlexRooted]

@AlexRooted Have you figured it out yet?

I have got that same setup and I could post 2 screenshots to help.

Thank you that would be super helpful!

Also further question I have is what happens in case I have issues with pocket-id/are unable to have it up and running. Am I locked out of zerobyte? Do I need to manually change config (in some ways)?

[janreinhardt]

If you can't log in via Pocked ID then you can still use your username+password. You won't be locked out.

Below are 3 screenshots of my Zerobyte config and my Pocket ID. Hostnames are zerobyte.XXX.ts.net and raspi5.XXX.ts.net

[AlexRooted]

Thank you very much! Was able to successfully make it work.

[BartschLabs]

@nicotsx, thanks so much for OIDC!

Just in case anybody else has the same problem I had, it looks like you can't use spaces in the Provider ID. I tried to use "Example Pocket ID" for Provider ID. I had to set it to "Example-Pocket-ID".

The Callback URL got set to

https://zerobyte.example.com/api/auth/sso/callback/Example Pocket ID

That seemed to be invalid.

It's interesting that the OIDC implementation adds the Provider ID into the Callback URL. In the OIDC implementations of other apps I'm using, the Callback URL gets set to one of these:

https://zerobyte.example.com/auth-oidc-callback
https://zerobyte.example.com/api/auth/oidc/callback
https://zerobyte.example.com//users/auth/openid_connect/callback
https://zerobyte.example.com/api/oauth2-redirect
https://zerobyte.example.com/api/v1/users/login/oidc/callback

[nicotsx]

I will try to prevent this by turning the name into a slug. The name in the url is unavoidable otherwise the app doesn't know from which provider it got the response. Probably the other apps you have used don't support multiple providers

[janreinhardt]

Please, if you switch OIDC around:
could you instead of auto discovery-only make the backchannel URLs for the endpoints configurable?

and maybe have the OIDC stuff available as docker environment variables?

Both things would help a lot when integrating with different public / non-public identity providers and fumbling around with ones homelab setup.

Cheers!