feat: support OpenID Connect login

docs/using-jellyseerr/settings/users.md → docs/using-jellyseerr/settings/users/index.md

@@ -22,6 +22,14 @@ When disabled, users will only be able to sign in using their email address. Use
 
 This setting is **enabled** by default.
 
+## Enable OpenID Connect Sign-In
+
+When enabled, users will be able to sign in to Jellyseerr using their OpenID Connect credentials, provided they have linked their OpenID Connect accounts. Once enabled, the [OpenID Connect settings](./oidc.md) can be accessed using the settings cog to the right of this option, and OpenID Connect providers can be configured.
+
+When disabled, users will only be able to sign in using their Jellyseerr username or email address. Users without a password set will not be able to sign in to Jellyseerr.
+
+This setting is **disabled** by default.
+
 ## Enable New Jellyfin/Emby/Plex Sign-In
 
 When enabled, users with access to your media server will be able to sign in to Jellyseerr even if they have not yet been imported. Users will be automatically assigned the permissions configured in the [Default Permissions](#default-permissions) setting upon first sign-in.

docs/using-jellyseerr/settings/users/oidc.md

@@ -0,0 +1,82 @@
+---
+title: OpenID Connect
+description: Configure OpenID Connect settings.
+sidebar_position: 2.5
+---
+
+# OpenID Connect
+
+Jellyseerr supports OpenID Connect (OIDC) for authentication and authorization. To begin setting up OpenID Connect, follow these steps:
+
+1. First, enable OpenID Connect [on the User settings page](./index.md#enable-openid-connect-sign-in).
+2. Once enabled, access OpenID Connect settings using the cog icon to the right.
+3. Add a new provider by clicking the "Add Provider" button.
+4. Configure the provider with the options described below.
+5. Link your OpenID Connect account to your Jellyseerr account using the "Link Account" button on the Linked Accounts page in your user's settings.
+6. Finally, you should be able to log in using your OpenID Connect account.
+
+## Configuration Options
+
+### Provider Name
+
+Name of the provider which appears on the login screen.
+
+Configuring this setting will automatically determine the [provider slug](#provider-slug), unless it is manually specified.
+
+### Logo
+
+The logo to display for the provider. Should be a URL or base64 encoded image.
+
+:::tip
+
+The search icon at the right of the logo field opens the [selfh.st/icons](https://selfh.st/icons) database. These icons include popular self-hosted OpenID Connect providers.
+
+:::
+
+### Issuer URL
+The base URL of the identity provider's OpenID Connect endpoint
+
+### Client ID
+
+The Client ID assigned to Jellyseerr
+
+### Client Secret
+
+The Client Secret assigned to Jellyseerr
+
+### Provider Slug
+
+Unique identifier for the provider
+
+### Scopes
+
+Space-separated list of scopes to request from the provider
+
+### Required Claims
+
+Space-separated list of boolean claims that are required to log in
+
+### Allow New Users
+
+Create accounts for new users logging in with this provider
+
+## Provider Guides
+
+### Keycloak
+
+To set up Keycloak, follow these steps:
+
+1. First, create a new client in Keycloak.
+  ![Keycloak Step 1](./assets/oidc_keycloak_1.png)
+
+1. Set the client ID to `jellyseerr`, and set the name to "Jellyseerr" (or whatever you prefer).
+  ![Keycloak Step 2](./assets/oidc_keycloak_2.png)
+
+1. Next, be sure to enable "Client authentication" in the capabilities section. The remaining defaults should be fine. 
+  ![Keycloak Step 3](./assets/oidc_keycloak_3.png)
+
+1. Finally, set the root url to your Jellyseerr instance's URL, and add the login page as a valid redirect URL.
+  ![Keycloak Step 4](./assets/oidc_keycloak_4.png)
+
+1. With all that set up, you should be able to configure Jellyseerr to use Keycloak for authentication. Be sure to copy the client secret from the credentials page, as shown above. The issuer URL can be obtained from the "Realm Settings" page, by copying the link titled "OpenID Endpoint Configuration".
+  ![Keycloak Step 5](./assets/oidc_keycloak_5.png)

jellyseerr-api.yml

@@ -254,6 +254,41 @@ components:
         enableSpecialEpisodes:
           type: boolean
           example: false
+    OidcProvider:
+      type: object
+      properties:
+        slug:
+          type: string
+          readOnly: true
+        name:
+          type: string
+        issuerUrl:
+          type: string
+        clientId:
+          type: string
+        clientSecret:
+          type: string
+        logo:
+          type: string
+        requiredClaims:
+          type: string
+        scopes:
+          type: string
+        newUserLogin:
+          type: boolean
+      required:
+        - slug
+        - name
+        - issuerUrl
+        - clientId
+        - clientSecret
+    OidcSettings:
+      type: object
+      properties:
+        providers:
+          type: array
+          items:
+            $ref: '#/components/schemas/OidcProvider'
     NetworkSettings:
       type: object
       properties:
@@ -2212,6 +2247,64 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/MainSettings'
+  /settings/oidc:
+    get:
+      summary: Get OpenID Connect settings
+      description: Retrieves all OpenID Connect settings in a JSON object.
+      tags:
+        - settings
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/OidcSettings'
+  /settings/oidc/{provider}:
+    put:
+      summary: Update OpenID Connect provider
+      description: Updates an existing OpenID Connect provider with the provided values.
+      tags:
+        - settings
+      parameters:
+        - in: path
+          name: provider
+          required: true
+          schema:
+            type: string
+          description: Provider slug
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/OidcProvider'
+      responses:
+        '200':
+          description: 'Radarr instance updated'
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RadarrSettings'
+    delete:
+      summary: Delete OpenID Connect provider
+      description: Deletes an existing OpenID Connect provider based on the provider slug parameter.
+      tags:
+        - settings
+      parameters:
+        - in: path
+          name: provider
+          required: true
+          schema:
+            type: string
+          description: Provider slug
+      responses:
+        '200':
+          description: 'OpenID Connect provider deleted'
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/OidcSettings'
   /settings/network:
     get:
       summary: Get network settings
@@ -4005,6 +4098,81 @@ paths:
               required:
                 - email
                 - password
+  /auth/oidc/login/{slug}:
+    get:
+      security: []
+      summary: Redirect to the OpenID Connect provider
+      description: Constructs the redirect URL to the OpenID Connect provider, and redirects the user to it.
+      tags:
+        - auth
+      parameters:
+        - in: path
+          name: slug
+          required: true
+          schema:
+            type: string
+            example: 'authentik'
+      responses:
+        '200':
+          description: Authentication redirect url for the OpenID Connect provider
+          headers:
+            Set-Cookie:
+              schema:
+                type: string
+                example: 'oidc-state=123456789; HttpOnly; max-age=60000; Secure'
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  redirectUrl:
+                    type: string
+                    example: https://example.com/auth/oidc/callback?response_type=code&client_id=client_id&redirect_uri=https%3A%2F%2Fexample.com%2Fauth%2Foidc%2Fcallback&scope=openid%20email&state=state
+  /auth/oidc/callback/{slug}:
+    get:
+      security: []
+      summary: The callback endpoint for the OpenID Connect provider redirect
+      description: Takes the `code` and `state` parameters from the OpenID Connect provider, and exchanges them for a token.
+      x-allow-unknown-query-parameters: true
+      tags:
+        - auth
+      parameters:
+        - in: path
+          name: slug
+          required: true
+          schema:
+            type: string
+            example: 'authentik'
+        - in: query
+          name: code
+          required: true
+          schema:
+            type: string
+            example: '123456789'
+        - in: query
+          name: state
+          required: true
+          schema:
+            type: string
+            example: '123456789'
+        - in: cookie
+          name: oidc-state
+          required: true
+          schema:
+            type: string
+            example: '123456789'
+      responses:
+        '302':
+          description: A redirect to the home page if successful or back to the login page if not
+          headers:
+            Location:
+              schema:
+                type: string
+                example: /
+            Set-Cookie:
+              schema:
+                type: string
+                example: 'oidc-state=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT'
   /auth/logout:
     post:
       summary: Sign out and clear session cookie
@@ -4808,6 +4976,23 @@ paths:
       responses:
         '204':
           description: User password updated
+  /user/{userId}/settings/linked-accounts:
+    get:
+      summary: Lists the user's linked OpenID Connect accounts
+      description: Lists the user's linked OpenID Connect accounts
+      tags:
+        - users
+      parameters:
+        - in: path
+          name: userId
+          required: true
+          schema:
+            type: number
+      responses:
+        '200':
+          description: List of linked accounts
+        '403':
+          description: Invalid credentials
   /user/{userId}/settings/linked-accounts/plex:
     post:
       summary: Link the provided Plex account to the current user
@@ -4906,6 +5091,28 @@ paths:
           description: Unlink request invalid
         '404':
           description: User does not exist
+  /user/{userId}/settings/linked-accounts/{acctId}:
+    delete:
+      summary: Remove a linked account for a user
+      description: Removes the linked account with the given ID for a specific user. Requires `MANAGE_USERS` permission if editing other users.
+      tags:
+        - users
+      parameters:
+        - in: path
+          name: userId
+          required: true
+          schema:
+            type: number
+        - in: path
+          name: acctId
+          required: true
+          schema:
+            type: number
+      responses:
+        '204':
+          description: Unlinking account succeeded
+        '404':
+          description: User or linked account does not exist
   /user/{userId}/settings/notifications:
     get:
       summary: Get notification settings for a user

package.json

@@ -68,6 +68,7 @@
     "gravatar-url": "3.1.0",
     "http-proxy-agent": "^7.0.2",
     "https-proxy-agent": "^7.0.6",
+    "jwt-decode": "^4.0.0",
     "lodash": "4.17.21",
     "mime": "3",
     "next": "^14.2.25",