working sso

.env.sample

@@ -17,12 +17,12 @@ SANDBOX_DOMAIN=sandbox.cryptpad.example.com
 #EXTRA_DOMAINS=', `www.cryptpad.example.com`'
 LETS_ENCRYPT_ENV=production
 
-## SSO / OIDC (optional — requires SSO_ENABLED=true)
+## SSO / OIDC (optional — defaults to false)
-SSO_ENABLED=false
+#SSO_ENABLED=true
-SSO_ENFORCED=false
+#SSO_ENFORCED=false
-SSO_PROVIDER_NAME=Authentik
+#SSO_PROVIDER_NAME=Authentik
-SSO_OIDC_URL=https://authentik.example.com/application/o/cryptpad
+#SSO_OIDC_URL=https://authentik.example.com/application/o/cryptpad
-SSO_CLIENT_ID=cryptpad
+#SSO_CLIENT_ID=cryptpad
-SSO_CLIENT_SECRET=
+#SSO_CLIENT_SECRET=
-SSO_JWT_ALG=RS256
+#SSO_JWT_ALG=RS256
-SSO_PLUGIN_VERSION=0.4.0
+#SSO_PLUGIN_VERSION=0.4.0

abra.sh

@@ -1,5 +1,5 @@
 export CONFIG_VERSION=v2
 export CONFIG_JS_VERSION=v2
 export NGINX_CONF_VERSION=v1
-export SSO_ENTRYPOINT_VERSION=v2
+export SSO_ENTRYPOINT_VERSION=v4
-export SSO_JS_VERSION=v1
+export SSO_JS_VERSION=v2

sso.js.tmpl

@@ -4,12 +4,18 @@
 module.exports = {
     enabled: "{{ env "SSO_ENABLED" }}" === "true",
     enforced: "{{ env "SSO_ENFORCED" }}" === "true",
-    protocol: "oidc",
+    cpPassword: true,
-    providerName: "{{ env "SSO_PROVIDER_NAME" }}",
+    forceCpPassword: false,
-    oidcConfig: {
+    list: [
-        url: "{{ env "SSO_OIDC_URL" }}",
+        {
-        clientID: "{{ env "SSO_CLIENT_ID" }}",
+            name: "{{ env "SSO_PROVIDER_NAME" }}",
-        clientSecret: "{{ env "SSO_CLIENT_SECRET" }}",
+            type: "oidc",
-        algorithm: "{{ env "SSO_JWT_ALG" }}"
+            url: "{{ env "SSO_OIDC_URL" }}",
-    }
+            client_id: "{{ env "SSO_CLIENT_ID" }}",
+            client_secret: "{{ env "SSO_CLIENT_SECRET" }}",
+            id_token_alg: "{{ env "SSO_JWT_ALG" }}",
+            use_pkce: true,
+            use_nonce: true
+        }
+    ]
 };