Subdirectory support for OIDC and SocketIO #3665
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mikiher
changed the title
|
I tested this with authentik OIDC and it is working well for both cases. Do you think we should comment out the setting in |
|
Yes, that's possible, although I had two purposes in mind with this setting:
|
|
It was helpful having the redirect URLs in the settings there. |
|
Any idea about this #3823 (comment)? |
|
I'll check this. I don't recall ever seeing this happen. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Brief summary
This is another PR in preparation for switching to subdirectory support in accordance with #3535
This covers two issues:
Which issue is fixed?
There are no existing bugs for this PR.
There should be no visible effect on existing (no-subdirectory) setups.
In-depth Description
SocketIO support
After the planned switch to subdirectory support, we will have both existing (no subdirectory) clients and new clients (either using a subdirectory or not). Since our SocketIO lives outside of the normal express middleware handlers, we need to support both subdirectory and no-subdirectory paths to access it.
This is achieved by bringing up two identical SocketIO servers that only differ in their paths. One uses the standard
/socket.iopath, and the other uses${subdirectory}/socket.io(e.g./audiobookshelf/socket.io). This way, legacy clients can still connect to the no-directory SocketIO server.OIDC Auhentication support
OIDC authentication setups need to register a couple of authorized callback URLs in the OAuth provider. After the provider performs the authentication, it checks the callback URL it got from the server against the authorized callback URLs, and only calls back the server if it found a match.
So, in order for ABS servers to work after switching to subdirectory support, they need to remember which URLs were registered with the provider:
This way, exising OIDC setups will continue to work without any manual setup required after the planned switch to subdirectory support.
To achieve this, we introduce a new server setting,
authOpenIDSubfolderForRedirectURLs.For existing OIDC setups it would be set to None (empty string). For new setups after the planned switch, it could be set to either None, or
${subdirectory}(e.g./audiobookshelf).Authentication.vuewas modified to enable setting it.How have you tested this?
This was extensively tested using existing (no-subdirectory) and new (subdirectory) clients.
The server migration to add the new OIDC subfolder server setting was unit-tested as well as run on a test database with and without an existing OIDC setup.