Merge pull request #2198 from TriliumNext/oidc

Support custom oidc server

Author: eliandoran

apps/server/src/assets/config-sample.ini

@@ -55,3 +55,15 @@ oauthClientId=
 # Set the client secret for OAuth/OpenID authentication
 # This is the secret of the client that will be used to verify the user's identity
 oauthClientSecret=
+
+# Set the issuer base URL for OAuth/OpenID authentication
+# This is the base URL of the service that will be used to verify the user's identity
+oauthIssuerBaseUrl=
+
+# Set the issuer name for OAuth/OpenID authentication
+# This is the name of the service that will be used to verify the user's identity
+oauthIssuerName=
+
+# Set the issuer icon for OAuth/OpenID authentication
+# This is the icon of the service that will be used to verify the user's identity
+oauthIssuerIcon=

apps/server/src/assets/translations/cn/server.json

@@ -103,7 +103,7 @@
     "password": "密码",
     "remember-me": "记住我",
     "button": "登录",
-    "sign_in_with_google": "使用 Google 登录"
+    "sign_in_with_sso": "使用 {{ ssoIssuerName }} 登录"
   },
   "set_password": {
     "title": "设置密码",

apps/server/src/assets/translations/en/server.json

@@ -112,7 +112,7 @@
     "password": "Password",
     "remember-me": "Remember me",
     "button": "Login",
-    "sign_in_with_google": "Sign in with Google"
+    "sign_in_with_sso": "Sign in with {{ ssoIssuerName }}"
   },
   "set_password": {
     "title": "Set Password",

apps/server/src/assets/views/login.ejs

@@ -26,8 +26,8 @@
 
         <% if (ssoEnabled) { %>
             <a href="/authenticate" class="google-login-btn">
-                <img src="<%= assetPath %>/images/google-logo.svg" alt="Google logo">
-                <%= t("login.sign_in_with_google") %>
+                <img src="<%= ssoIssuerIcon.length === 0 ? assetPathFragment + '/images/google-logo.svg' : ssoIssuerIcon %>" alt="<%= ssoIssuerName %>">
+                <%= t("login.sign_in_with_sso", { ssoIssuerName: ssoIssuerName }) %>
             </a>
         <% } else { %>
             <form action="login" method="POST">

apps/server/src/routes/login.ts

@@ -19,6 +19,8 @@ function loginPage(req: Request, res: Response) {
         wrongTotp: false,
         totpEnabled: totp.isTotpEnabled(),
         ssoEnabled: openID.isOpenIDEnabled(),
+        ssoIssuerName: openID.getSSOIssuerName(),
+        ssoIssuerIcon: openID.getSSOIssuerIcon(),
         assetPath: assetPath,
         assetPathFragment: assetUrlFragment,
         appPath: appPath,

apps/server/src/services/config.ts

@@ -46,6 +46,9 @@ export interface TriliumConfig {
         oauthBaseUrl: string;
         oauthClientId: string;
         oauthClientSecret: string;
+        oauthIssuerBaseUrl: string;
+        oauthIssuerName: string;
+        oauthIssuerIcon: string;
     };
 }
 
@@ -123,7 +126,16 @@ const config: TriliumConfig = {
             process.env.TRILIUM_OAUTH_CLIENT_ID || iniConfig?.MultiFactorAuthentication?.oauthClientId || "",
 
         oauthClientSecret:
-            process.env.TRILIUM_OAUTH_CLIENT_SECRET || iniConfig?.MultiFactorAuthentication?.oauthClientSecret || ""
+            process.env.TRILIUM_OAUTH_CLIENT_SECRET || iniConfig?.MultiFactorAuthentication?.oauthClientSecret || "",
+
+        oauthIssuerBaseUrl:
+            process.env.TRILIUM_OAUTH_ISSUER_BASE_URL || iniConfig?.MultiFactorAuthentication?.oauthIssuerBaseUrl || "https://accounts.google.com",
+
+        oauthIssuerName:
+            process.env.TRILIUM_OAUTH_ISSUER_NAME || iniConfig?.MultiFactorAuthentication?.oauthIssuerName || "Google",
+
+        oauthIssuerIcon:
+            process.env.TRILIUM_OAUTH_ISSUER_ICON || iniConfig?.MultiFactorAuthentication?.oauthIssuerIcon || ""
     }
 };
 

apps/server/src/services/open_id.ts

@@ -8,7 +8,7 @@ import config from "./config.js";
 
 
 function checkOpenIDConfig() {
-    let missingVars: string[] = []
+    const missingVars: string[] = []
     if (config.MultiFactorAuthentication.oauthBaseUrl === "") {
         missingVars.push("oauthBaseUrl");
     }
@@ -89,6 +89,14 @@ function isTokenValid(req: Request, res: Response, next: NextFunction) {
     }
 }
 
+function getSSOIssuerName() {
+    return config.MultiFactorAuthentication.oauthIssuerName;
+}
+
+function getSSOIssuerIcon() {
+    return config.MultiFactorAuthentication.oauthIssuerIcon;
+}
+
 function generateOAuthConfig() {
     const authRoutes = {
         callback: "/callback",
@@ -105,7 +113,7 @@ function generateOAuthConfig() {
         auth0Logout: false,
         baseURL: config.MultiFactorAuthentication.oauthBaseUrl,
         clientID: config.MultiFactorAuthentication.oauthClientId,
-        issuerBaseURL: "https://accounts.google.com",
+        issuerBaseURL: config.MultiFactorAuthentication.oauthIssuerBaseUrl,
         secret: config.MultiFactorAuthentication.oauthClientSecret,
         clientSecret: config.MultiFactorAuthentication.oauthClientSecret,
         authorizationParams: {
@@ -147,6 +155,8 @@ function generateOAuthConfig() {
 export default {
     generateOAuthConfig,
     getOAuthStatus,
+    getSSOIssuerName,
+    getSSOIssuerIcon,
     isOpenIDEnabled,
     clearSavedUser,
     isTokenValid,