feat(auth): add custom user properties for audiobookshelf

Add custom user schema in LLDAP which maps to a custom attribute in
Authelia which we then again map to a custom claim which we include in a
custom scope which audiobookshelf requests

Signed-off-by: Vegard Hagen <[email protected]>

Author: vehagn

k8s/infra/auth/authelia/values.yaml

@@ -7,10 +7,15 @@ image:
 
 pod:
   kind: Deployment
+  env:
+    - name: TZ
+      value: Europe/Oslo
 
 configMap:
   default_2fa_method: totp
   theme: dark
+  log:
+    level: info
 
   identity_validation:
     reset_password:
@@ -25,8 +30,7 @@ configMap:
   session:
     encryption_key: { secret_name: crypto }
     cookies:
-      - subdomain: authelia
-        domain: stonegarden.dev
+      - domain: stonegarden.dev
 
   storage:
     encryption_key: { secret_name: crypto }
@@ -59,6 +63,11 @@ configMap:
       additional_groups_dn: ou=groups
       user: UID=authelia,OU=people,DC=stonegarden,DC=dev
       password: { secret_name: lldap-auth }
+      attributes:
+        extra:
+          audiobookshelf_groups:
+            multi_valued: true
+            value_type: string
 
   identity_providers:
     oidc:
@@ -80,11 +89,17 @@ configMap:
         allowed_origins_from_client_redirect_uris: true
         endpoints: [ userinfo, authorization, token, revocation, introspection ]
       claims_policies:
+        audiobookshelf:
+          custom_claims:
+            audiobookshelf: { attribute: audiobookshelf_groups }
         # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
         default:
-          id_token: [ groups, email, email_verified, alt_emails, preferred_username, name ]
+          id_token: [ email, email_verified, alt_emails, name, preferred_username, groups ]
         username_email:
-          id_token: [ email, email_verified, alt_emails, preferred_username, name ]
+          id_token: [ email, email_verified, alt_emails, name, preferred_username ]
+      scopes:
+        audiobookshelf:
+          claims: [ audiobookshelf ]
       clients:
         - client_id: argocd
           client_secret: { path: /secrets/client-argocd/client_secret.txt }
@@ -95,7 +110,7 @@ configMap:
           redirect_uris:
             - https://argocd.stonegarden.dev/auth/callback
             - https://argocd.stonegarden.dev/applications
-          scopes: [ openid, groups, email, profile, offline_access ]
+          scopes: [ openid, email, profile, offline_access, groups ]
           userinfo_signed_response_alg: none
           id_token_signed_response_alg: ES256
           access_token_signed_response_alg: ES256
@@ -106,7 +121,7 @@ configMap:
           authorization_policy: two_factor
           pre_configured_consent_duration: 1 month
           redirect_uris: [ http://localhost:8085/auth/callback ]
-          scopes: [ openid, groups, email, profile, offline_access ]
+          scopes: [ openid, email, profile, offline_access, groups ]
           id_token_signed_response_alg: ES256
           access_token_signed_response_alg: ES256
           revocation_endpoint_auth_method: none
@@ -117,14 +132,15 @@ configMap:
           client_secret: { path: /secrets/client-audiobookshelf/client_secret.txt }
           client_name: Audiobookshelf
           public: false
-          authorization_policy: two_factor
+          authorization_policy: one_factor
+          claims_policy: audiobookshelf
           pre_configured_consent_duration: 1 month
           require_pkce: true
           redirect_uris:
             - https://abs.stonegarden.dev/audiobookshelf/auth/openid/callback
             - https://abs.stonegarden.dev/audiobookshelf/auth/openid/mobile-redirect
             - audiobookshelf://oauth
-          scopes: [ openid, groups, email, profile, offline_access ]
+          scopes: [ openid, email, profile, offline_access, audiobookshelf ]
           id_token_signed_response_alg: ES256
           access_token_signed_response_alg: ES256
 
@@ -136,7 +152,7 @@ configMap:
           pre_configured_consent_duration: 1 month
           require_pkce: true
           redirect_uris: [ http://localhost:8000, http://localhost:18000 ]
-          scopes: [ openid, groups, email, profile, offline_access ]
+          scopes: [ openid, email, profile, offline_access, groups ]
           revocation_endpoint_auth_method: none
           introspection_endpoint_auth_method: none
           pushed_authorization_request_endpoint_auth_method: none

k8s/infra/auth/lldap/bootstrap.yaml

@@ -44,6 +44,9 @@ spec:
             - name: groups
               mountPath: /bootstrap/group-configs
               readOnly: true
+            - name: user-schemas
+              mountPath: /bootstrap/user-schemas
+              readOnly: true
             - name: users
               mountPath: /bootstrap/user-configs
               readOnly: true
@@ -58,6 +61,14 @@ spec:
                   items:
                     - key: groups.json
                       path: groups.json
+        - name: user-schemas
+          projected:
+            sources:
+              - secret:
+                  name: lldap-config
+                  items:
+                    - key: user-schemas.json
+                      path: user-schemas.json
         - name: users
           projected:
             sources:

k8s/infra/auth/lldap/kustomization.yaml

@@ -15,6 +15,7 @@ configMapGenerator:
       - LLDAP_LDAPS_OPTIONS__ENABLED="true"
       - LLDAP_LDAPS_OPTIONS__CERT_FILE="/cert/tls.crt"
       - LLDAP_LDAPS_OPTIONS__KEY_FILE="/cert/tls.key"
+      - RUST_LOG=warn
   - name: bootstrap-env
     namespace: lldap
     literals:

k8s/infra/auth/lldap/lldap-config.yaml

@@ -5,8 +5,9 @@ metadata:
   namespace: lldap
 spec:
   encryptedData:
-    groups.json: AgDUmewa9DDYcF9FZbXrIS9eG/LuadHhAXrFuI6TE/ZwZxaIRo9STLGCy8m9DATOk4x0EJJur4FS8HFHCooEGM5IiSLuFWRyzGkpCW2Ef9VrmMdINDn9vQVOM2SohlQa6JiQtuU2LBWq+bKV8vCGxf/xCX2YywhYVYjAmKBzMYfELtBwODxQMJmAohNNOFlgToj7tVq3m37jlT9Yf2KvhDHnBf27/jJNWN/Ow0AWBboE06Z0aogBVQxO1o1b1lzTmvNzPaEt/ohgefJu8s8uosSQFGCzgkFcdaIb8tTv6RpHzC4BnXxBZ+kwGSwkz3ZNuAJPjGumfhPdaewgi5hwQsHFxyXwkFELllsHSosQwE16aGc6GM1ZtWEhSxfGST9uXheyz3uutKzGcMluZZld2Df+OSuYDpZ7ciuJw9XsrxcwehlI4REQRBIW1P2/AwNb7PohmG5Ip0/s7oURBYjI2km3lmcraT2Ezuve0eEgfbk8Mi9oJP2LQANUplQR5x/weX26j2aFKfp5MotwKzYj5pLVhRWnAFZIv2eIAgSDyG/6vP8AGkDOFRCLFCUOsl55+pNT+pGDFb9Wl23AQXc0i5aUpzk1tO7XDkLc/Y3XZG5oZRaGEgxXVJ4ivs4Kls1klf7Niu49xpaz30YZmd1VI9VCYM2KzOitPa1QJ/qv5PtuaqDbh5D2osIOkt3sNi+NLt0DoZObwOOngQNw16OQqb4ZC7GCEcwOPn0xBNxD/OlG+08TVWDdLt/oXiYaUYJvXwilXA3ebilTggagQeGlZkUWxYoun88VozbGVgmjm3y0p7kk6tAE5OfwCCPCHcG4xvw=
-    users.json: AgBMEMM2F22mBcj/Nc8CjRuyG61BOE2UMK0BaxYt4ExXEsvfPYlok2S3hVrNtBGxO2qI4XVmGqsJdis/4Vk7vOTht/zj3WFmyuMAvseTNaWJxkaRX4DR1A3Esy14zzwr63UXThC5wAkUDCAsr9l+/PirCNPZH5ecPAtF69MwI+yettENu1kzBZx7QnLgPcoNcVfAExoj92LZWgots0l+wQJTXeICS+jIRh6bkLsIAin5D1K+/VBe2q+5ODMfcoaa9TnBqzceiMIpEi0FxWAqH6B3qs2hz1xdvzmlmvvq3crYGZEpLnHGN+mhaJiA7rpwkIsHSU77bE7endp/gSCaGqhm4PJiNa9/FKk24kvfdp7zIoco/fmT/kgJajZ9mKPeZKYmjycDikB5rIzo7x+90v8ZG0Y1QAb2PmWdA4EUxD3wD8hm2cmR4Z/nJo9P3438A2kMHxC88Cdu7C/HpUxoBeq3njMYcWEFzQNSbqD4OUtBzY4KqmK5frf78w77hUJFs77uJ4SzbfwqZgH+c4h7BOPmGQjAWOdzazWyNR4NcfAqBTrNL/CMisl/vdXVlqvStkUJMBK95lMj4QW7li5E6W5T/DvqYbaRe8hjDf8qyj5aFvZHTx31uta/GdFRF/qWcv8uhbkF6mz/rlt9nQR9HL6ewZhhmvHtN1E+RGywkV5q5EJ9Xpk5Dl6euq1wG3fdmiK9gGL8Xjw/SvA7ePIP1c9LmcopY8UR8LZkmtnyiYVnGHYnSockr0Zgq/lxgNRJd+8lRx2yk8493IWAW9HuvQ/Fz7fnslgQ8vRtn6WG1o+a0yJNCk6NSxsO5eGFGJkO7MtR7T28snf50BkUXpvnop5Vx+Dg2paz6esRR8sRhmanPnZSCK6bsoqguWeL2txwtXoobfwUkufLMTX8+xA+mtvAsKd7VU+gmrEi7Bq42GKNn3ycwHs/2iQjZxBDwwDo2/U2p/i6EcClcQ0OmkyKwQu7vPMZEAQDn/b7uPpxifEQALaXAAK1SCb89Y7C6Yx2B39fAgi/2SPhEy5UVSNvK6aKB99IaHAomLZhpXihEoInFyS1ZQGctD9ParfsPxSDcPB2DfC6bVQDOTPxhctlaNmMfGczapOCIfhM9dtiX7biku2e1+nLnQ8ucHrUa9BqSSf8cQfDKiEnV0jGnl6B9fTDmVTqpfMN77Bu5V0O5fyUvrQgmbgI8SXkBMYAYl9HmXBWNtxIEheSKivOLnOJ+MOKK39lCKOELj96RpiJcbMskBlQ2ZZwj5D7UuyuJ9/YRtZ2tl+XTAmpfJ3kZCqqSgAudMFjLTdGawihPYi/6G9d02b+zaoQFaWZmGr7VvqhQn4iF3rLO/deCG9kLVhtXK5c1HielVktKz29vlUVHHikEFQaylvjjMXyHan1B1PCb/dUjgWxFJWaikOqlrkN1ceNV96fkM7dsxtlrcLF0VJIISfRqoWR7knuH309Yo5t59CeySSy1chYc6bmGCiqIr7JBIRik+araFKRLp7kAE41k1Wcqz5ZlpafdT1FW5mWN3O4rq+L2MMawgc2Qkx8efEFGa9ykK20vu5oCVb8P5FPRuRTDCRxgLvXwTsQq6ZKzRJyYxhmV4Vi9gBfIqSu/tVZVAYApZbfAsMXgRu0DPVSB+KcioKyM+IzSlWIdocRr4YULRTtsNgba7QgBGqKkU3ydzf1jlC3Q07U52iNyTNwomqhPjWUHKnO6WL5sHrv232fkq6FUuQz/TOOl2ydZN9D997Nzep9js5iEtCJ3+4e3QKs
+    groups.json: AgBusPp+JogVCThv5sFjSlTLt3j4+tOW8R50dVDUjniEGw2jVECXGgLLBcOdGOb1MPdGT968xANnoGVfAJN+TREpum//8R9IjN5uwpdEgPQOm9vOlbZd1AW9S9N1sFgVJgtJTbGZfJF7EFiQKNoVOG6FyRreTQe5PeKaCE6yWYx9j18WBqDpoJotW3Axz/Hd7TzcpnCwdbb2doeay5neAWZxCXXhTQQB6eBfWBhO+cB4IayVNO5bjjT3Nr0vd4OIO9IUE8JuY673sBrJKdlGBYORydUMDPuymu1dMZGMMw231fZZpf6vfSGEoIn97MCY6cFoLrvQ0BaPD4RKZTQ+Zw1zOxJh1ZqLB5/8+EwmxT9HLyQVE4rUDg1YSrElgySLHugOLsJOjwGOjGtWqrDxXsQAm4gg8L+UClR8zKzf3h+mb5mjdHs7vRPCBWU5ULohSOmy8XRjcqjhxPNyD3B/sR7cqDuM/kkGeETH+s3iH/6deB9pdpucsGPPpN8XrPapFuUQxyewH+gZ9TQxMVTpGBM1G+KUjpfGRDkKVjDwkB55Rss/PNgu8eN5Ap/HREVHz2G/RCC0CcJrNmY58U7Xj367vjYckPIY5LsWcYXv9pIBvibv+ER9IR9woO96Llb5dLgFoDpRLbYGq3FN47eczaLs0zAToCUm25IAi0NaosDNyhlNygsYkmy12KalNVJWNCNq2t2D094QNSPM/WJbElEQkG8xfNBLDFH6hrf3EpBBqBZMrK//GMd/jKlkPy/IXHi2BT11N6bpOTQpSR94yLE2oy/OnYs5ALWB+T4OWsaKXr6NGdTYdV/q6EDtj0VSVg==
+    user-schemas.json: AgBPy3B8gv5u7U50GJ/rQDpXHtO0PuNmNnCq94Hv77kbEKQzk0s0awq/IpC+i/VSNqMtkh0CLMtaoiqtxGWQa7IOYb4FpXtxcrJ8Iw7OBiQqAL9cAdUXZ6eWvrj9EZLwdL0p6H/jpG7XZt8b7xhz90Z9hEM5P54gnyMmR22gS5roAA2mpBJNu68jdAki4xHUdatdMcOAPB4zPJI+KVDAvOCVlBI900v3ZDDIViUKy6FVVp22DD/OBu9IxNz8FBdEZiQgfqr+0kwLrFJzV3fSaa5o0w73ADZrCoOiNbOLRzLEjhAq7yYz6E1rvFlaEAr+4QBylSelPW6nrgGYRHLiGTaT4Fhj2C6isA0xDB1f7HckhQUWPGjdSx2a1Fbg0hqZAeVMxYNxJuYbcMgipjcDCSAjSF9BCF6OMiO5AJxuh7/eVbPcTFu1DT1s1P0yIMpLk7oHKJnJpf9IZFMp6TKmpQLLcfDE4msRjDdZN16lHHcEgrUdeeG3fh9fqDAIr9eC0vNTvbOXEjXppO/vp6Dg+wbqdIgoZLBCpCTne3e8ouAgvkp6baoVThgRAccL/r96CvG1aFgSScLpkcllNuD3CqMQiVePCzIxykUDNPyBdKosgLMNAewQ9joSU6iyHanUPH/37vGSPbSymEzC5zGgjYPf6Sv/jIdFqFQ1IXoQPLZNJU/ubu7a7BipuPGMD7+8uRmYjKAj5BmiNO/NO4KdpIAsDUT89T2b5SKocO8YllGxBfQ2nzVvsXjA5DqxrT1f8bfiVfHuiPCTGJMig+VeRfVge+EDvMityUDmYlmJc4dDz8nJpqMt792UgfLMPAv6kd2MKAGUbLiruhe7rt+pN6toIjl2nexLAw+uHduvtUOI9r17XWmoEefj8eiOCIS1TwPRQA==
+    users.json: AgBtgt8GwrFZqfXnFRHFrOJKxKqfeQILI7GhQ6akRMHBwX6mpdtoCUr4Kg7gY/bMeSlF/vVJMVkSTAK446CvDeeIjOZ8t7y33o4dvcPyBSUF61+QRHsgxEGfEkOHpAvlQEp+UFtRcMvBmQt5Ld7oH5aMaRAGVQ+0kTEOPJ6XLyD2FcKPUaHEULMX3RzSeVFONCSgq34vecv4986dWZnV8sRRhReuzRbaRZojca/zNxVCR3E2Ol4nFnmPqwE6TPOQ6ruSH4WlXQHeQWSxmTmGwy/Rm/vrXMMuqtCjTx6Kdtqkbdo1q9DdYeybdxcey7hddFo8lvFTn6OvL8HJXASeJt7gs+aT0gyrz0csEJjluEu5eVwYoVkfeESDzOpt4LZhFieuZYWTVd3+CG0Y/YY+vCVpNz8sqKfVcKO7SKH8q4Xs4TB0XOuaSFzrJWSqSG1JKC1AAxyZfAveF/f2L8qdD7mR8oYCkmuVtW6kbnb6c7S981MH7TPrC6HFfptOKV119nVve6bN+rXtGiwEfVlF0XQDTCECKAWgaAhFYJJAj1nA8RG7Uoh8yQ965woybU86pNf6VzSTUi1DSlUpOPPPCZ8br3RoHuqoB1yj6fxZIdNJj48tKGlJ6TDUbAI0XdGou7b3HBfZxUkVLS9En9qHdB0fjvDbh55uBsWavJbaxUP2hWytmC62jqXYCFzIQrUAPiveXnXIXPAUWqeuCZmYDRtiQtanfRjtxEppKuAozDofiycil2fqd7lr2NeAFI1IT1SOUO/ctafYLggJ59+DYh0ovoBGe1wnCceDHV/XGGzWZiuT4HkIoc2DyrDeZ2CC+RxXVzFAWZ0rt8+U7MjkkIhsCYAApBc8lnPh7AcbfxJftLvPmTJZt72enD9QoDhuGbdK/aPm6xC2yMCSqWV4EOi17k2SkXfZE/eo9kRVHE8IIKgdvcrCmqnhtLaMmK/VO5D7GJBu7V8fcJMavVhiHn7E6sbsThgNWDZa6Pi3jlYJqM39XN2uEjmXajoUPh/u03yWdE8eEMPWVhogtoREG9YJ7rPtzd2NLry7SPZIfKS5KVoq9LCQSS50/AcC3kH+Bo88NXIlXimcJxfgX8ASOdQFfdmdCT9uVwEWTOIcUWPhMI4VoeD/KrlmKJB+E5DbC5ZFAC7RO2WEJGBFuGgoqKSn7udWZFFRR+BJn9FKdNJ1tZGQ0aHXDMs6NmnecZmnxFb1npJRToaqBAJHxQ7WoLqhaEHNJqF1/ixlqMV3NokDZ/mthHr+664P1Nt1mtxokumCWuhZu5lVfU5z06CrUqnSFRpC8qfkW2lD6pd3GsLR1CVipcwcSGmlrVUQJIS5hfYo5BA50DT7gJbUNnX5DCuaP6EwvOnOlr8npdmjNsIp2wfvXwGaoKQwwB5Qr5AovvK5kHTuxId0t2ls28vU0CrGvX06AIzukNVJMsTUtHdkVp7sNvdvRBSWbERQBtYGPUIgnT14rjxc9wl7/4VP4NgiLXZ6e9A8U1PTyOwVLXRYfu6KizuFCC7rYFerK7bqN9tRwII6oWSq0vX0rrr3dUsOfTxyKnnp9Trey/K81EwLSx6eEAPwQwkDo2+nvgI0N/qEv4OcIJQ4i0+i/rhwQH/mN7JSIXFe+CESdr+3YRhqOKXiL2KlAp8ZShpsLDbGQ8wjO47gmcT6leCalHs351NgQLcGBzlieFI8Bldewxwj0ES/WKxKC04yXvDUtdFd3JCgZcuRu20J15yDeeSl9sH5kwobjBzosHcLO1H2A4c+XQs8BOpqcpRLUVrW7ON7AuUpgyyPxLgUTGccTPN91aEwcmPfpx+NvQYgcMwfH5Abfe2bRLSxFqKzyMJXlAzwZCI7ly8DE3r+EHBGYpo8lGQqmKXO2K7Zaum7QpkzkHq9KDz5XWTYFGltirsjo4bG3kMGeiwKsPbZcWa4enIeNqVOy+D533k+AUMzWO6cy41KtpI/9Ioc/lNd8eVi7Fuecs/ZjL7p5HhVLoo0a4YpHeQAUANUEoNdtbn9oc5Ob1DzbAwloYfkksrTl1n+jBusdmdniRfus+LzltaRQvXg9to2lYKGoIZY76qCMliJAJLdnebmGXUKVdbCW1rq+E9uX8Q8wAs0WKAQZl0o0C1GFffOmteqdPh2YK+UGcs3xr5wsk8LSF1L9oWnWvahWcSRrXRw5SC3Gda5DJnoohcHuYc=
   template:
     metadata:
       name: lldap-config