QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-04-07 14:31:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c4824bf34dd2e5f9f7cd2ef22b857644c19b4121
sure/config/auth.yml
tlink 9a9ebb147b Add localization for onboarding goals across multiple languages (#873) 
* Add localization for onboarding goals across multiple languages

* Add password requirements localization for multiple languages

* Refactor localization keys for authentication messages

* Add `oidc` localization key for multiple languages

* Add OIDC account localization for multiple languages

* Add localization for trial and profile setup across multiple languages

* Refactor OIDC button label fallback to prioritize label presence over localization key

* Refactor onboarding tests to use I18n for text assertions and button labels

* Linter

* Last test fix?!?

* We keep both `oidc` and `openid_connect` due to contatenation issues

---------

Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
2026-02-03 14:49:21 +01:00

70 lines
3.0 KiB
YAML
Raw Blame History

default: &default
local_login:
# When false, local email/password login is disabled for all users unless
# AUTH_LOCAL_ADMIN_OVERRIDE_ENABLED is true and the user is a super admin.
enabled: <%= ENV.fetch("AUTH_LOCAL_LOGIN_ENABLED", "true") == "true" %>
# When true and local_login.enabled is false, allow super admins to use
# local login as an emergency override. Regular users remain SSO-only.
admin_override_enabled: <%= ENV.fetch("AUTH_LOCAL_ADMIN_OVERRIDE_ENABLED", "false") == "true" %>
jit:
# Controls behavior when a user signs in via SSO and no OIDC identity exists.
# - "create_and_link" (default): create a new user + family when no match exists
# - "link_only": require an existing user; block JIT creation
mode: <%= ENV.fetch("AUTH_JIT_MODE", "create_and_link") %>
# Optional comma-separated list of domains (e.g. "example.com,corp.com").
# When non-empty, JIT SSO account creation is only allowed for these domains.
# When empty, all domains are allowed (current behavior).
allowed_oidc_domains: <%= ENV.fetch("ALLOWED_OIDC_DOMAINS", "") %>
providers:
# Generic OpenID Connect provider (e.g., Keycloak, Authentik, other OIDC issuers).
# This maps to the existing :openid_connect OmniAuth strategy and keeps
# backwards-compatible behavior for self-hosted setups using OIDC_* env vars.
#
# For the default OIDC provider, use these ENV vars:
# OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_REDIRECT_URI
#
# To add additional OIDC providers, add more entries with unique names and use
# provider-specific ENV vars with the pattern: OIDC_<UPPERCASE_NAME>_*
# Example for a provider named "keycloak":
# OIDC_KEYCLOAK_ISSUER, OIDC_KEYCLOAK_CLIENT_ID,
# OIDC_KEYCLOAK_CLIENT_SECRET, OIDC_KEYCLOAK_REDIRECT_URI
- id: "oidc"
strategy: "openid_connect"
name: "openid_connect"
label: <%= ENV.fetch("OIDC_BUTTON_LABEL", "") %>
icon: <%= ENV.fetch("OIDC_BUTTON_ICON", "key") %>
# Per-provider credentials (optional, falls back to global OIDC_* vars)
issuer: <%= ENV["OIDC_ISSUER"] %>
client_id: <%= ENV["OIDC_CLIENT_ID"] %>
client_secret: <%= ENV["OIDC_CLIENT_SECRET"] %>
redirect_uri: <%= ENV["OIDC_REDIRECT_URI"] %>
# Optional Google OAuth provider. Requires the omniauth-google-oauth2 gem
# and GOOGLE_OAUTH_CLIENT_ID / GOOGLE_OAUTH_CLIENT_SECRET env vars.
- id: "google"
strategy: "google_oauth2"
name: "google_oauth2"
label: <%= ENV.fetch("GOOGLE_BUTTON_LABEL", "Sign in with Google") %>
icon: <%= ENV.fetch("GOOGLE_BUTTON_ICON", "google") %>
# Optional GitHub OAuth provider. Requires the omniauth-github gem and
# GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET env vars.
- id: "github"
strategy: "github"
name: "github"
label: <%= ENV.fetch("GITHUB_BUTTON_LABEL", "Sign in with GitHub") %>
icon: <%= ENV.fetch("GITHUB_BUTTON_ICON", "github") %>
development:
<<: *default
test:
<<: *default
production:
<<: *default
Reference in New Issue View Git Blame Copy Permalink