Skip to content

Commit 3d90ab1

Browse files
lastzerolastzero
committed
OIDC: Update internal/auth/oidc/README.md photoprism#5334
Signed-off-by: Michael Mayer <[email protected]>
1 parent cc94683 commit 3d90ab1

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

internal/auth/oidc/README.md

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -44,12 +44,6 @@
4444
- `internal/config` provides OIDC options/flags (issuer, client ID/secret, scopes, insecure).
4545
- `internal/event` supplies the logger used for audit and error reporting.
4646

47-
### Operational Tips
48-
49-
- Always call `RedirectURL(siteUrl)` to build callbacks that respect reverse proxies and base URIs.
50-
- Reuse `HttpClient(insecure)` so timeouts and TLS settings stay consistent.
51-
- When adding claims processing, keep parsing isolated (e.g., new helper) and ensure failures do not block sign‑in unless required.
52-
5347
### Configuration & Safety
5448

5549
- Enforce `https` for issuers unless `insecure` is explicitly set (intended for dev/test).
@@ -67,15 +61,21 @@
6761
- [ ] Add integration doc/tests for Entra app registration requirements (`groupMembershipClaims=SecurityGroup|All|ApplicationGroup`) and token size limits (~200 groups).
6862
- [ ] Update Pro parity notes so LDAP and OIDC group mappings share helpers and behavior.
6963

70-
#### Related Resources & Specs
64+
> **Note:** Entra ID security groups are only supported in PhotoPrism® Pro.
65+
66+
### Documentation & References
7167

7268
- Microsoft Entra group claims: https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference#groups-claim
7369
- Group overage handling: https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-azure-ad-apps#group-overage-and-_claim_names
7470
- Token customization guidance: https://learn.microsoft.com/en-us/entra/architecture/customize-tokens
7571

76-
> **Note:** Entra ID security groups are only supported in PhotoPrism® Pro.
72+
### Operational Tips
73+
74+
- Always call `RedirectURL(siteUrl)` to build callbacks that respect reverse proxies and base URIs.
75+
- Reuse `HttpClient(insecure)` so timeouts and TLS settings stay consistent.
76+
- When adding claims processing, keep parsing isolated (e.g., new helper) and ensure failures do not block sign‑in unless required.
7777

78-
### Testing
78+
### Test Guidelines
7979

8080
- Unit tests: `go test ./internal/auth/oidc -count=1`
8181
- Tests cover discovery failures, PKCE detection, redirect URL construction, username extraction, and code‑exchange error handling.

0 commit comments

Comments
 (0)