|
| 1 | +--- |
| 2 | +title: OpenID Connect |
| 3 | +description: '' |
| 4 | +category: Features |
| 5 | +--- |
| 6 | + |
| 7 | +Postal supports OpenID Connect (OIDC) allowing you to delegate authentication to an external service. When enabled, there are various changes: |
| 8 | + |
| 9 | +* You are not required to enter a password when you add new users. |
| 10 | +* When a user first logs in with OIDC, they will be matched to a local user based on their e-mail address. |
| 11 | +* On subsequent logins, the user will be matched based on their unique identifier provided by the OIDC issuer. |
| 12 | +* Users without local passwords cannot reset their password through Postal. |
| 13 | +* Users cannot change their local password when associated with an OIDC identity. |
| 14 | +* Existing users that currently have a password will continue to be able to use that password until it is linked with an OIDC identity. |
| 15 | + |
| 16 | + |
| 17 | + |
| 18 | +## Configuration |
| 19 | + |
| 20 | +To get started, you'll need to find an OpenID Connect enabled provider. You should create your application within the provider in order to obtain a identifier (client ID) and a secret (client secret). |
| 21 | + |
| 22 | +You may be prompted to provide a "redirect URI" during this process. You should enter `https://postal.yourdomain.com/auth/oidc/callback`. |
| 23 | + |
| 24 | +Finally, you'll need to place your configuration in the Postal config file as normal. |
| 25 | + |
| 26 | +```yaml |
| 27 | +oidc: |
| 28 | + # Start by enabling OIDC for your installation. |
| 29 | + enabled: true |
| 30 | + |
| 31 | + # The name of the OIDC provider as shown in the UI. For example: |
| 32 | + # "Login with My Proivder". |
| 33 | + name: My Provider |
| 34 | + |
| 35 | + # The OIDC issuer URL provided to you by your Identity provider. |
| 36 | + # The provider must support OIDC Discovery by hosting their configuration |
| 37 | + # at https://identity.example.com/.well-known/openid-configuration. |
| 38 | + issuer: https://identity.example.com |
| 39 | + |
| 40 | + # The client ID for OIDC |
| 41 | + identifier: abc1234567890 |
| 42 | + |
| 43 | + # The client secret for OIDC |
| 44 | + secret: zyx0987654321 |
| 45 | + |
| 46 | + # Scopes to request from the OIDC server. You'll need to find these from your provider. |
| 47 | + # You should ensure you request enough scopes to ensure the user's email address is |
| 48 | + # returned from the provider. |
| 49 | + scopes: |
| 50 | + - openid |
| 51 | + - email |
| 52 | +``` |
| 53 | +
|
| 54 | +If your Identity Provider does not support OpenID Connect discovery (which is enabled by default, you can manually configure it.) For full details of the options available see the [example config file](https://github.com/postalserver/postal/blob/main/doc/config/yaml.yml). |
| 55 | +
|
| 56 | +By default, Postal will look for an email address in the `email` field and a name in the `name` field. These can be overriden using configuration if these values can be found elsewhere. |
| 57 | + |
| 58 | +## Logging in |
| 59 | + |
| 60 | +Once enabled, you can log in by pressing the **Login with xxx** button on the login page. This will direct you to your chosen identity provider. Once authorised, you will be directed back to the application. If a user exists matching the e-mail address returned by the OpenID provider, it will be linked and you will be logged in. If not, an error will be displayed. |
| 61 | + |
| 62 | +## Debugging |
| 63 | + |
| 64 | +Details about the user matching process will be displayed in the web server logs when the callback from the Identity provider happens. |
| 65 | + |
| 66 | +## Disabling local authentication |
| 67 | + |
| 68 | +Once you have established your OpenID Connect set up, you can fully disable local authentication. This will change the login page as well as user management options. |
| 69 | + |
| 70 | +```yaml |
| 71 | +oidc: |
| 72 | + # ... |
| 73 | + local_authentication_enabled: false |
| 74 | +``` |
| 75 | + |
| 76 | +## Using Google as an identity provider |
| 77 | + |
| 78 | +Setting up Postal to authenticate with Google is fairly straight forward. You'll need to use the Google Cloud console to generate a client ID and secret ([see docs](https://developers.google.com/identity/openid-connect/openid-connect)). When prompted for a redirect URI, you should be `https://postal.yourdomain.com/auth/oidc/callback`. The following configuration can be used to enable this: |
| 79 | + |
| 80 | +```yaml |
| 81 | +oidc: |
| 82 | + enabled: true |
| 83 | + name: Google |
| 84 | + issuer: https://accounts.google.com |
| 85 | + identifier: # your client ID from Google |
| 86 | + secret: # your client secret from Google |
| 87 | + scopes: [openid, email] |
| 88 | +``` |
0 commit comments