From d8ee13a9bcfda604b4cef969e002995c308d2a47 Mon Sep 17 00:00:00 2001 From: "dosubot[bot]" <131922026+dosubot[bot]@users.noreply.github.com> Date: Thu, 9 Apr 2026 09:19:58 +0000 Subject: [PATCH 1/2] docs: add OIDC server setup guide and configuration reference --- src/content/docs/docs/guides/oidc.mdx | 18 +++++++- .../docs/docs/reference/configuration.mdx | 44 ++++++++++++++++++- 2 files changed, 60 insertions(+), 2 deletions(-) diff --git a/src/content/docs/docs/guides/oidc.mdx b/src/content/docs/docs/guides/oidc.mdx index aa5b935..87a66fd 100644 --- a/src/content/docs/docs/guides/oidc.mdx +++ b/src/content/docs/docs/guides/oidc.mdx @@ -35,17 +35,33 @@ Supported scopes: - `openid` - `profile` - `email` +- `phone` +- `address` - `groups` Supported claims: - `sub` - `name` +- `given_name` +- `family_name` +- `middle_name` +- `nickname` +- `profile` +- `picture` +- `website` +- `gender` +- `birthdate` +- `zoneinfo` +- `locale` - `email` +- `email_verified` +- `phone_number` +- `phone_number_verified` +- `address` - `preferred_username` - `groups` - `updated_at` -- `email_verified` Supported token endpoint authentication methods: diff --git a/src/content/docs/docs/reference/configuration.mdx b/src/content/docs/docs/reference/configuration.mdx index 2cbee53..6f17760 100644 --- a/src/content/docs/docs/reference/configuration.mdx +++ b/src/content/docs/docs/reference/configuration.mdx @@ -50,7 +50,7 @@ Tinyauth can be configured using environment variables or CLI flags. The table b | - | - | - | - | | `TINYAUTH_AUTH_IP_ALLOW` | `--auth.ip.allow` | List of allowed IPs or CIDR ranges. | `` | | `TINYAUTH_AUTH_IP_BLOCK` | `--auth.ip.block` | List of blocked IPs or CIDR ranges. | `` | -| `TINYAUTH_AUTH_USERS` | `--auth.users` | Comma-separated list of users (username:hashed_password). | `` | +| `TINYAUTH_AUTH_USERS` | `--auth.users` | Map of users with structured configuration (see below). | `` | | `TINYAUTH_AUTH_USERSFILE` | `--auth.usersfile` | Path to the users file. | `` | | `TINYAUTH_AUTH_SECURECOOKIE` | `--auth.securecookie` | Enable secure cookies. | `false` | | `TINYAUTH_AUTH_SESSIONEXPIRY` | `--auth.sessionexpiry` | Session expiry time in seconds. | `86400` | @@ -59,6 +59,48 @@ Tinyauth can be configured using environment variables or CLI flags. The table b | `TINYAUTH_AUTH_LOGINMAXRETRIES` | `--auth.loginmaxretries` | Maximum login retries. | `3` | | `TINYAUTH_AUTH_TRUSTEDPROXIES` | `--auth.trustedproxies` | Comma-separated list of trusted proxy addresses. | `` | +### User Configuration Format + +The `auth.users` configuration uses a structured YAML map format where each key is a username and the value contains the user's password, optional TOTP secret, and optional attributes: + +```yaml +auth: + users: + username: + password: "bcrypt_hashed_password" + totpSecret: "optional_totp_secret" + attributes: + name: "Full Name" + givenName: "First" + familyName: "Last" + middleName: "Middle" + nickname: "Nick" + profile: "https://example.com/profile" + picture: "https://example.com/avatar.jpg" + website: "https://example.com" + email: "user@example.com" + gender: "gender" + birthdate: "YYYY-MM-DD" + zoneinfo: "Europe/Athens" + locale: "en-US" + phoneNumber: "+1234567890" + phoneNumberVerified: true + address: + formatted: "Full address" + streetAddress: "123 Main St" + locality: "City" + region: "State" + postalCode: "12345" + country: "Country" +``` + +Fields: +- `password` (required): The bcrypt hashed password. +- `totpSecret` (optional): The TOTP secret for two-factor authentication. +- `attributes` (optional): User attributes returned as OIDC claims when Tinyauth acts as an OIDC provider. All attribute fields are optional and will be included in the appropriate OIDC scopes (profile, email, phone, address). + +The `auth.usersfile` option supports a legacy line-based format (`username:hashed_password` or `username:hashed_password:totp_secret`), which remains supported for backwards compatibility. + ## ACLs Configuration | Environment | Flag | Description | Default | From bd9f835cfc25fff8b4e9150c99bcf6fd31ddb085 Mon Sep 17 00:00:00 2001 From: "dosubot[bot]" <131922026+dosubot[bot]@users.noreply.github.com> Date: Sat, 11 Apr 2026 05:06:12 +0000 Subject: [PATCH 2/2] docs: add OIDC server guide and configuration reference --- src/content/docs/docs/guides/oidc.mdx | 36 ++++++----- .../docs/docs/reference/configuration.mdx | 64 +++++++------------ 2 files changed, 41 insertions(+), 59 deletions(-) diff --git a/src/content/docs/docs/guides/oidc.mdx b/src/content/docs/docs/guides/oidc.mdx index 87a66fd..5e0e7f9 100644 --- a/src/content/docs/docs/guides/oidc.mdx +++ b/src/content/docs/docs/guides/oidc.mdx @@ -35,34 +35,36 @@ Supported scopes: - `openid` - `profile` - `email` -- `phone` -- `address` +- `phone` - Returns phone_number and phone_number_verified claims +- `address` - Returns address claim (formatted, street_address, locality, region, postal_code, country) - `groups` Supported claims: - `sub` - `name` -- `given_name` -- `family_name` -- `middle_name` -- `nickname` -- `profile` -- `picture` -- `website` -- `gender` -- `birthdate` -- `zoneinfo` -- `locale` +- `given_name` - Given (first) name of the user +- `family_name` - Family (last) name of the user +- `middle_name` - Middle name of the user +- `nickname` - Nickname of the user +- `profile` - URL of the user's profile page +- `picture` - URL of the user's profile picture +- `website` - URL of the user's website +- `gender` - Gender of the user +- `birthdate` - Birthdate of the user (YYYY-MM-DD format) +- `zoneinfo` - Time zone of the user (e.g. Europe/Athens) +- `locale` - Locale of the user (e.g. en-US) - `email` -- `email_verified` -- `phone_number` -- `phone_number_verified` -- `address` - `preferred_username` +- `email_verified` +- `phone_number` - Phone number of the user +- `phone_number_verified` - Whether the phone number has been verified (boolean) +- `address` - Address object with fields: formatted, street_address, locality, region, postal_code, country - `groups` - `updated_at` +These claims align with the OpenID Connect Core 1.0 specification's standard claims. + Supported token endpoint authentication methods: - `client_secret_basic` diff --git a/src/content/docs/docs/reference/configuration.mdx b/src/content/docs/docs/reference/configuration.mdx index 6f17760..959f0b9 100644 --- a/src/content/docs/docs/reference/configuration.mdx +++ b/src/content/docs/docs/reference/configuration.mdx @@ -50,7 +50,8 @@ Tinyauth can be configured using environment variables or CLI flags. The table b | - | - | - | - | | `TINYAUTH_AUTH_IP_ALLOW` | `--auth.ip.allow` | List of allowed IPs or CIDR ranges. | `` | | `TINYAUTH_AUTH_IP_BLOCK` | `--auth.ip.block` | List of blocked IPs or CIDR ranges. | `` | -| `TINYAUTH_AUTH_USERS` | `--auth.users` | Map of users with structured configuration (see below). | `` | +| `TINYAUTH_AUTH_USERS` | `--auth.users` | Comma-separated list of users (username:hashed_password). | `` | +| `TINYAUTH_AUTH_USERATTRIBUTES` | `--auth.userattributes` | Map of per-user OIDC attributes (username -> attributes). | `` | | `TINYAUTH_AUTH_USERSFILE` | `--auth.usersfile` | Path to the users file. | `` | | `TINYAUTH_AUTH_SECURECOOKIE` | `--auth.securecookie` | Enable secure cookies. | `false` | | `TINYAUTH_AUTH_SESSIONEXPIRY` | `--auth.sessionexpiry` | Session expiry time in seconds. | `86400` | @@ -59,47 +60,26 @@ Tinyauth can be configured using environment variables or CLI flags. The table b | `TINYAUTH_AUTH_LOGINMAXRETRIES` | `--auth.loginmaxretries` | Maximum login retries. | `3` | | `TINYAUTH_AUTH_TRUSTEDPROXIES` | `--auth.trustedproxies` | Comma-separated list of trusted proxy addresses. | `` | -### User Configuration Format - -The `auth.users` configuration uses a structured YAML map format where each key is a username and the value contains the user's password, optional TOTP secret, and optional attributes: - -```yaml -auth: - users: - username: - password: "bcrypt_hashed_password" - totpSecret: "optional_totp_secret" - attributes: - name: "Full Name" - givenName: "First" - familyName: "Last" - middleName: "Middle" - nickname: "Nick" - profile: "https://example.com/profile" - picture: "https://example.com/avatar.jpg" - website: "https://example.com" - email: "user@example.com" - gender: "gender" - birthdate: "YYYY-MM-DD" - zoneinfo: "Europe/Athens" - locale: "en-US" - phoneNumber: "+1234567890" - phoneNumberVerified: true - address: - formatted: "Full address" - streetAddress: "123 Main St" - locality: "City" - region: "State" - postalCode: "12345" - country: "Country" -``` - -Fields: -- `password` (required): The bcrypt hashed password. -- `totpSecret` (optional): The TOTP secret for two-factor authentication. -- `attributes` (optional): User attributes returned as OIDC claims when Tinyauth acts as an OIDC provider. All attribute fields are optional and will be included in the appropriate OIDC scopes (profile, email, phone, address). - -The `auth.usersfile` option supports a legacy line-based format (`username:hashed_password` or `username:hashed_password:totp_secret`), which remains supported for backwards compatibility. +The `userAttributes` map allows setting per-user OIDC profile information. The key is the username, and the value is an object containing optional OIDC attributes: + +- `name` - Full name of the user +- `givenName` - Given (first) name +- `familyName` - Family (last) name +- `middleName` - Middle name +- `nickname` - Nickname +- `profile` - URL of the user's profile page +- `picture` - URL of the user's profile picture +- `website` - URL of the user's website +- `email` - Email address +- `gender` - Gender +- `birthdate` - Birthdate (YYYY-MM-DD format) +- `zoneinfo` - Time zone (e.g. Europe/Athens) +- `locale` - Locale (e.g. en-US) +- `phoneNumber` - Phone number +- `phoneNumberVerified` - Whether phone number is verified (boolean) +- `address` - Address object with fields: `formatted`, `streetAddress`, `locality`, `region`, `postalCode`, `country` + +These attributes are returned via the OIDC userinfo endpoint when the appropriate scopes (`profile`, `email`, `phone`, `address`) are requested. ## ACLs Configuration