feat: allow for HTTPS to be disabled in OpenID discovery (#77)

* feat: allow for HTTPS to be disabled in OpenID discovery (#76)
9p4 · Sep 9, 2022 · fa46806 · fa46806
1 parent 98ddb9e
commit fa46806
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -192,11 +192,12 @@ These all require authorization. Append an API key to the end of the request: `c
   - `enableFolderRoles`: boolean. Determines if role-based folder access should be used.
   - `folderRoleMapping`: object in the format "role": string and "folders": array of strings. The user with this role will have access to the following folders if `enableFolderRoles` is enabled. To get the IDs of the folders, GET the `/Library/MediaFolders` URL with an API key. Look for the `Id` attribute.
   - `roleClaim`: string. This is the value in the OpenID response to check for roles. For Keycloak, it is `realm_access.roles` by default. The first element is the claim type, the subsequent values are to parse the JSON of the claim value. Use a "\\." to denote a literal ".". This expects a list of strings from the OIDC server.
-  - `oidScopes` : array of strings. each containing an additional scope name to include in the OIDC request.
+  - `oidScopes` : array of strings. Each contains an additional scope name to include in the OIDC request.
     - For some OIDC providers (For example, [authelia](https://github.com/9p4/jellyfin-plugin-sso/issues/23#issuecomment-1112237616)), additional scopes may be required in order to validate group membership in role claim.
     - Leave empty to only request the default scopes.
   - `defaultProvider`: string. The set provider then gets assigned to the user after they have logged in. If it is not set, nothing is changed. With this, a user can login with SSO but is still able to log in via other providers later. See the `Unregister` endpoint.
   - `defaultUsernameClaim`: string. The provider will use the claim to create the users' usernames. If not set, it fallbacks to `preferred_username`.
+  - `requireHttps`: boolean. Determines whether the OpenID discovery endpoint requires HTTP. It is advised NOT to set this to false. If not set, it fallbacks to `true`.
 - GET `OID/Del/PROVIDER_NAME`: This removes a configuration for OpenID for a given provider name.
 - GET `OID/Get`: Lists the configurations currently available.
 - GET `OID/States`: Lists currently active OpenID flows in progress.

diff --git a/SSO-Auth/Api/SSOController.cs b/SSO-Auth/Api/SSOController.cs
@@ -90,6 +90,7 @@ public ActionResult OidPost(
                 Scope = string.Join(" ", config.OidScopes.Prepend("openid profile")),
             };
             options.Policy.Discovery.ValidateEndpoints = false; // For Google and other providers with different endpoints
+            options.Policy.Discovery.RequireHttps = config.RequireHttps || true;
             var oidcClient = new OidcClient(options);
             var currentState = StateManager[state].State;
             var result = oidcClient.ProcessResponseAsync(Request.QueryString.Value, currentState).Result;

diff --git a/SSO-Auth/Config/PluginConfiguration.cs b/SSO-Auth/Config/PluginConfiguration.cs
@@ -222,6 +222,11 @@ public SerializableDictionary<string, Guid> CanonicalLinks
     /// Gets or sets the default username claim when creating new accounts.
     /// </summary>
     public string DefaultUsernameClaim { get; set; }
+
+    /// <summary>
+    /// Gets or sets a value indicating whether HTTPS in the discovery endpoint is required.
+    /// </summary>
+    public bool RequireHttps { get; set; }
 }
 
 /// <summary>