diff --git a/src/auth/extra/.gitignore b/src/auth/extra/.gitignore new file mode 100644 index 0000000..35e0b97 --- /dev/null +++ b/src/auth/extra/.gitignore @@ -0,0 +1 @@ +providers.toml diff --git a/src/auth/extra/providers.schema.json b/src/auth/extra/providers.schema.json new file mode 100644 index 0000000..9948356 --- /dev/null +++ b/src/auth/extra/providers.schema.json @@ -0,0 +1,186 @@ +{ + "type": "object", + "properties": { + "providers": { + "type": "object", + "patternProperties": { + "^(.*)$": { + "anyOf": [ + { + "type": "object", + "properties": { + "token_url": { + "type": "string" + }, + "auth_url": { + "type": "string" + }, + "info_url": { + "type": "string" + }, + "client_id": { + "type": "string" + }, + "client_secret": { + "anyOf": [ + { + "type": "object", + "properties": { + "env": { + "description": "Secret is stored in the env var", + "type": "string" + } + }, + "required": [ + "env" + ] + }, + { + "type": "object", + "properties": { + "inline": { + "description": "Secret is inline here", + "type": "string" + } + }, + "required": [ + "inline" + ] + } + ] + }, + "scopes": { + "type": "array", + "items": { + "type": "string" + } + }, + "redirect_url": { + "type": "string" + }, + "user": { + "default": { + "unique_id": "email", + "name": "name" + }, + "type": "object", + "properties": { + "unique_id": { + "description": "A unique identifier for this provider", + "default": "email", + "type": "string" + }, + "name": { + "description": "A name for this provider", + "default": "name", + "type": "string" + } + }, + "required": [ + "unique_id", + "name" + ] + } + }, + "required": [ + "token_url", + "auth_url", + "info_url", + "client_id", + "client_secret", + "scopes", + "redirect_url", + "user" + ] + }, + { + "type": "object", + "properties": { + "openid_url": { + "type": "string" + }, + "client_id": { + "type": "string" + }, + "client_secret": { + "anyOf": [ + { + "type": "object", + "properties": { + "env": { + "description": "Secret is stored in the env var", + "type": "string" + } + }, + "required": [ + "env" + ] + }, + { + "type": "object", + "properties": { + "inline": { + "description": "Secret is inline here", + "type": "string" + } + }, + "required": [ + "inline" + ] + } + ] + }, + "scopes": { + "type": "array", + "items": { + "type": "string" + } + }, + "redirect_url": { + "type": "string" + }, + "user": { + "default": { + "unique_id": "email", + "name": "name" + }, + "type": "object", + "properties": { + "unique_id": { + "description": "A unique identifier for this provider", + "default": "email", + "type": "string" + }, + "name": { + "description": "A name for this provider", + "default": "name", + "type": "string" + } + }, + "required": [ + "unique_id", + "name" + ] + } + }, + "required": [ + "openid_url", + "client_id", + "client_secret", + "scopes", + "redirect_url", + "user" + ] + } + ] + } + } + }, + "$schema": { + "type": "string" + } + }, + "required": [ + "providers" + ] +} diff --git a/src/auth/extra/providers.toml.template b/src/auth/extra/providers.toml.template new file mode 100644 index 0000000..98f3ad5 --- /dev/null +++ b/src/auth/extra/providers.toml.template @@ -0,0 +1,21 @@ +"$schema" = "https://maix.me/providers.schema.json" + +[providers.provider-openid] +openid_url = "https://example.com/openid-url-without-.wellknown" +client_id = "CLIENT_ID" +client_secret.inline = "INLINED SECRET INSIDE CONFIG FILE" +scopes = ["any needed scope here", "openid", "email"] +# this url is to point to the local thingy - ask maieul +redirect_url = "https://local.maix.me:8888/api/auth/oauth2/provider-openid/callback" +# from the `info_url` request, which json key we will take an unique provider id (default:email) and an name for the user (default:name) +user = { unique_id = "email", name = "name" } + +[providers.discord] +auth_url = "https://discord.com/oauth2/authorize" +token_url = "https://discord.com/api/oauth2/token" +info_url = "https://discord.com/api/v10/users/@me" +client_secret.env = "PROVIDER_SECRET_DISCORD" # here the secret is provided in the env var with that name +client_id = "CLIENT_ID" +redirect_url = "https://local.maix.me:8888/api/auth/oauth2/discord/callback" +scopes = ["identify"] # here no email asked :) +user = { unique_id = "id", name = "username" } # for example discord provides some stuff, like unique_id and username, such that we dont have to ask additional permission to get the email