Merge pull request #2198 from TriliumNext/oidc

Support custom oidc server
2025-10-31 11:16:05 +08:00 · 2025-06-07 14:13:14 +03:00 · 2025-06-07 14:13:14 +03:00 · 70cdc100d9
commit 70cdc100d9
parent 17c2ae1177 bffb47645c
7 changed files with 43 additions and 7 deletions
--- a/apps/server/src/assets/config-sample.ini
+++ b/apps/server/src/assets/config-sample.ini
@ -55,3 +55,15 @@ oauthClientId=
 # Set the client secret for OAuth/OpenID authentication
 # This is the secret of the client that will be used to verify the user's identity
 oauthClientSecret=
+
+# Set the issuer base URL for OAuth/OpenID authentication
+# This is the base URL of the service that will be used to verify the user's identity
+oauthIssuerBaseUrl=
+
+# Set the issuer name for OAuth/OpenID authentication
+# This is the name of the service that will be used to verify the user's identity
+oauthIssuerName=
+
+# Set the issuer icon for OAuth/OpenID authentication
+# This is the icon of the service that will be used to verify the user's identity
+oauthIssuerIcon=
--- a/apps/server/src/assets/translations/cn/server.json
+++ b/apps/server/src/assets/translations/cn/server.json
@ -103,7 +103,7 @@
    "password": "密码",
    "remember-me": "记住我",
    "button": "登录",
-    "sign_in_with_google": "使用 Google 登录"
+    "sign_in_with_sso": "使用 {{ ssoIssuerName }} 登录"
  },
  "set_password": {
    "title": "设置密码",
--- a/apps/server/src/assets/translations/en/server.json
+++ b/apps/server/src/assets/translations/en/server.json
@ -112,7 +112,7 @@
    "password": "Password",
    "remember-me": "Remember me",
    "button": "Login",
-    "sign_in_with_google": "Sign in with Google"
+    "sign_in_with_sso": "Sign in with {{ ssoIssuerName }}"
  },
  "set_password": {
    "title": "Set Password",
--- a/apps/server/src/assets/views/login.ejs
+++ b/apps/server/src/assets/views/login.ejs
@ -26,8 +26,8 @@

        <% if (ssoEnabled) { %>
            <a href="/authenticate" class="google-login-btn">
-                <img src="<%= assetPath %>/images/google-logo.svg" alt="Google logo">
-                <%= t("login.sign_in_with_google") %>
+                <img src="<%= ssoIssuerIcon.length === 0 ? assetPathFragment + '/images/google-logo.svg' : ssoIssuerIcon %>" alt="<%= ssoIssuerName %>">
+                <%= t("login.sign_in_with_sso", { ssoIssuerName: ssoIssuerName }) %>
            </a>
        <% } else { %>
            <form action="login" method="POST">
--- a/apps/server/src/routes/login.ts
+++ b/apps/server/src/routes/login.ts
@ -19,6 +19,8 @@ function loginPage(req: Request, res: Response) {
        wrongTotp: false,
        totpEnabled: totp.isTotpEnabled(),
        ssoEnabled: openID.isOpenIDEnabled(),
+        ssoIssuerName: openID.getSSOIssuerName(),
+        ssoIssuerIcon: openID.getSSOIssuerIcon(),
        assetPath: assetPath,
        assetPathFragment: assetUrlFragment,
        appPath: appPath,
--- a/apps/server/src/services/config.ts
+++ b/apps/server/src/services/config.ts
@ -46,6 +46,9 @@ export interface TriliumConfig {
        oauthBaseUrl: string;
        oauthClientId: string;
        oauthClientSecret: string;
+        oauthIssuerBaseUrl: string;
+        oauthIssuerName: string;
+        oauthIssuerIcon: string;
    };
 }

@ -123,7 +126,16 @@ const config: TriliumConfig = {
            process.env.TRILIUM_OAUTH_CLIENT_ID || iniConfig?.MultiFactorAuthentication?.oauthClientId || "",

        oauthClientSecret:
-            process.env.TRILIUM_OAUTH_CLIENT_SECRET || iniConfig?.MultiFactorAuthentication?.oauthClientSecret || ""
+            process.env.TRILIUM_OAUTH_CLIENT_SECRET || iniConfig?.MultiFactorAuthentication?.oauthClientSecret || "",
+
+        oauthIssuerBaseUrl:
+            process.env.TRILIUM_OAUTH_ISSUER_BASE_URL || iniConfig?.MultiFactorAuthentication?.oauthIssuerBaseUrl || "https://accounts.google.com",
+
+        oauthIssuerName:
+            process.env.TRILIUM_OAUTH_ISSUER_NAME || iniConfig?.MultiFactorAuthentication?.oauthIssuerName || "Google",
+
+        oauthIssuerIcon:
+            process.env.TRILIUM_OAUTH_ISSUER_ICON || iniConfig?.MultiFactorAuthentication?.oauthIssuerIcon || ""
    }
 };

--- a/apps/server/src/services/open_id.ts
+++ b/apps/server/src/services/open_id.ts
@ -8,7 +8,7 @@ import config from "./config.js";


 function checkOpenIDConfig() {
-    let missingVars: string[] = []
+    const missingVars: string[] = []
    if (config.MultiFactorAuthentication.oauthBaseUrl === "") {
        missingVars.push("oauthBaseUrl");
    }
@ -89,6 +89,14 @@ function isTokenValid(req: Request, res: Response, next: NextFunction) {
    }
 }

+function getSSOIssuerName() {
+    return config.MultiFactorAuthentication.oauthIssuerName;
+}
+
+function getSSOIssuerIcon() {
+    return config.MultiFactorAuthentication.oauthIssuerIcon;
+}
+
 function generateOAuthConfig() {
    const authRoutes = {
        callback: "/callback",
@ -105,7 +113,7 @@ function generateOAuthConfig() {
        auth0Logout: false,
        baseURL: config.MultiFactorAuthentication.oauthBaseUrl,
        clientID: config.MultiFactorAuthentication.oauthClientId,
-        issuerBaseURL: "https://accounts.google.com",
+        issuerBaseURL: config.MultiFactorAuthentication.oauthIssuerBaseUrl,
        secret: config.MultiFactorAuthentication.oauthClientSecret,
        clientSecret: config.MultiFactorAuthentication.oauthClientSecret,
        authorizationParams: {
@ -147,6 +155,8 @@ function generateOAuthConfig() {
 export default {
    generateOAuthConfig,
    getOAuthStatus,
+    getSSOIssuerName,
+    getSSOIssuerIcon,
    isOpenIDEnabled,
    clearSavedUser,
    isTokenValid,