docs(admin): document OIDC security.toml configuration

1 week ago · 7fa2917896
2 changed files with 57 additions and 1 deletions
--- a/weed/admin/README.md
+++ b/weed/admin/README.md
@ -139,6 +139,9 @@ weed admin -port=8080 -masters="master1:9333,master2:9333"
 # Start with authentication
 weed admin -adminUser=admin -adminPassword=secret123

+# Start with OIDC authentication (configured in security.toml)
+weed admin
+
 # Start with HTTPS
 weed admin -port=443 -tlsCert=/path/to/cert.pem -tlsKey=/path/to/key.pem
 ```
@ -154,6 +157,32 @@ weed admin -port=443 -tlsCert=/path/to/cert.pem -tlsKey=/path/to/key.pem
 | `-tlsCert` | "" | Path to TLS certificate |
 | `-tlsKey` | "" | Path to TLS private key |

+### OIDC Authentication (security.toml)
+
+The admin UI supports OIDC authorization code flow on the same login page as local credentials.
+Configure it in `security.toml`:
+
+```toml
+[admin.oidc]
+enabled = true
+issuer = "https://idp.example.com/realms/seaweed"
+client_id = "seaweedfs-admin-ui"
+client_secret = "your-client-secret"
+redirect_url = "https://admin.example.com/login/oidc/callback"
+scopes = ["openid", "profile", "email"]
+
+[admin.oidc.role_mapping]
+default_role = "readonly"
+
+[[admin.oidc.role_mapping.rules]]
+claim = "groups"
+value = "seaweedfs-admin"
+role = "admin"
+```
+
+Role mapping must resolve to either `admin` or `readonly`.
+OIDC sessions are capped to the ID token expiration time.
+
 ### Docker Usage

 ```bash
@ -214,7 +243,7 @@ make fmt

 ### Security Considerations

-1. **Authentication**: Always set `adminPassword` in production
+1. **Authentication**: Use strong local credentials and/or OIDC with strict role mapping
 2. **HTTPS**: Use TLS certificates for encrypted connections
 3. **Firewall**: Restrict admin interface access to authorized networks

--- a/weed/command/scaffold/security.toml
+++ b/weed/command/scaffold/security.toml
@ -165,6 +165,33 @@ cert = ""
 key = ""
 ca = ""

+# Admin UI OIDC authentication (authorization code flow)
+# If enabled=true, users can sign in with OIDC on /login.
+# Session duration is capped to the ID token expiration.
+[admin.oidc]
+enabled = false
+issuer = "https://idp.example.com/realms/seaweed"
+client_id = "seaweedfs-admin-ui"
+client_secret = ""
+redirect_url = "https://admin.example.com/login/oidc/callback"
+scopes = ["openid", "profile", "email"]
+jwks_uri = ""                     # optional override; defaults from OIDC discovery
+tls_ca_cert = ""                  # optional absolute path for custom CA bundle
+tls_insecure_skip_verify = false  # testing only; do not use in production
+
+[admin.oidc.role_mapping]
+default_role = "readonly"
+
+[[admin.oidc.role_mapping.rules]]
+claim = "groups"
+value = "seaweedfs-admin"
+role = "admin"
+
+[[admin.oidc.role_mapping.rules]]
+claim = "groups"
+value = "seaweedfs-readonly"
+role = "readonly"
+
 # white list. It's checking request ip address.
 [guard]
 white_list = ""