replaced authentik with generic oidc provider

CHANGELOG.md

@@ -5,8 +5,9 @@
 - Added auto fail/retry (default to 8 attempts) for the `SELECT` queries to gracefully handle the `database is locked` errors ([#1795](https://github.com/pocketbase/pocketbase/discussions/1795#discussioncomment-4882169)).
   _The default max attempts can be accessed or changed via `Dao.MaxLockRetries`._
 
-- Added default max query executation timeout (60s).
+- Added default max query executation timeout (30s).
   _The default timeout can be access or changed via `Dao.ModelQueryTimeout`._
+  _For the prebuilt executables it can be also changed via the `--queryTimeout=10` flag._
 
 - Added support for `dao.RecordQuery(collection)` to scan directly the `One()` and `All()` results in `*models.Record` or `[]*models.Record` without the need of explicit `NullStringMap`.
 
@@ -18,7 +19,7 @@
 
 - Added `UploadedFiles` field to the `RecordCreateEvent` and `RecordUpdateEvent` event structs.
 
-- **!** Moved file upload after the record persistent to allow custom changing the record id safely from the `OnModelBeforeCreate` hook.
+- **!** Moved file upload after the record persistent to allow setting custom record id safely from the `OnModelBeforeCreate` hook.
 
 - **!** Changed `System.GetFile()` to return directly `*blob.Reader` instead of the `io.ReadCloser` interface.
 
@@ -42,6 +43,10 @@
     }
     ```
 
+- **!** Repurposed the Authentik integration as a more generic "OpenID Connect" provider (`oidc`) to support any OIDC provider (Okta, Keycloak, etc.).
+  _If you've previously used Authentik, make sure to rename the provider key in your code to `oidc`._
+  _For more than one OIDC provider you can use the additional `oidc2` and `oidc3` settings._
+
 - **!** Removed the previously deprecated `Dao.Block()` and `Dao.Continue()` helpers in favor of `Dao.NonconcurrentDB()`.
 
 - Other minor Admin UI improvements.

apis/settings_test.go

@@ -61,8 +61,10 @@ func TestSettingsList(t *testing.T) {
 				`"stravaAuth":{`,
 				`"giteeAuth":{`,
 				`"livechatAuth":{`,
-				`"authentikAuth":{`,
 				`"giteaAuth":{`,
+				`"oidcAuth":{`,
+				`"oidc2Auth":{`,
+				`"oidc3Auth":{`,
 				`"secret":"******"`,
 				`"clientSecret":"******"`,
 			},
@@ -133,8 +135,10 @@ func TestSettingsSet(t *testing.T) {
 				`"stravaAuth":{`,
 				`"giteeAuth":{`,
 				`"livechatAuth":{`,
-				`"authentikAuth":{`,
 				`"giteaAuth":{`,
+				`"oidcAuth":{`,
+				`"oidc2Auth":{`,
+				`"oidc3Auth":{`,
 				`"secret":"******"`,
 				`"clientSecret":"******"`,
 				`"appName":"acme_test"`,
@@ -194,8 +198,10 @@ func TestSettingsSet(t *testing.T) {
 				`"stravaAuth":{`,
 				`"giteeAuth":{`,
 				`"livechatAuth":{`,
-				`"authentikAuth":{`,
 				`"giteaAuth":{`,
+				`"oidcAuth":{`,
+				`"oidc2Auth":{`,
+				`"oidc3Auth":{`,
 				`"secret":"******"`,
 				`"clientSecret":"******"`,
 				`"appName":"update_test"`,

daos/base.go

@@ -24,7 +24,7 @@ func NewMultiDB(concurrentDB, nonconcurrentDB dbx.Builder) *Dao {
 		concurrentDB:      concurrentDB,
 		nonconcurrentDB:   nonconcurrentDB,
 		MaxLockRetries:    8,
-		ModelQueryTimeout: 1 * time.Minute,
+		ModelQueryTimeout: 30 * time.Second,
 	}
 }
 

migrations/1677152688_rename_authentik_to_oidc.go

@@ -0,0 +1,26 @@
+package migrations
+
+import (
+	"github.com/pocketbase/dbx"
+)
+
+// This migration replaces the "authentikAuth" setting with "oidc".
+func init() {
+	AppMigrations.Register(func(db dbx.Builder) error {
+		_, err := db.NewQuery(`
+			UPDATE {{_params}}
+			SET [[value]] = replace([[value]], '"authentikAuth":', '"oidcAuth":')
+			WHERE [[key]] = 'settings'
+		`).Execute()
+
+		return err
+	}, func(db dbx.Builder) error {
+		_, err := db.NewQuery(`
+			UPDATE {{_params}}
+			SET [[value]] = replace([[value]], '"oidcAuth":', '"authentikAuth":')
+			WHERE [[key]] = 'settings'
+		`).Execute()
+
+		return err
+	})
+}

models/settings/settings.go

@@ -15,6 +15,10 @@ import (
 	"github.com/pocketbase/pocketbase/tools/security"
 )
 
+// SecretMask is the default settings secrets replacement value
+// (see Settings.RedactClone()).
+const SecretMask string = "******"
+
 // Settings defines common app configuration options.
 type Settings struct {
 	mux sync.RWMutex
@@ -47,8 +51,10 @@ type Settings struct {
 	StravaAuth    AuthProviderConfig `form:"stravaAuth" json:"stravaAuth"`
 	GiteeAuth     AuthProviderConfig `form:"giteeAuth" json:"giteeAuth"`
 	LivechatAuth  AuthProviderConfig `form:"livechatAuth" json:"livechatAuth"`
-	AuthentikAuth AuthProviderConfig `form:"authentikAuth" json:"authentikAuth"`
 	GiteaAuth     AuthProviderConfig `form:"giteaAuth" json:"giteaAuth"`
+	OIDCAuth      AuthProviderConfig `form:"oidcAuth" json:"oidcAuth"`
+	OIDC2Auth     AuthProviderConfig `form:"oidc2Auth" json:"oidc2Auth"`
+	OIDC3Auth     AuthProviderConfig `form:"oidc3Auth" json:"oidc3Auth"`
 }
 
 // New creates and returns a new default Settings instance.
@@ -138,10 +144,16 @@ func New() *Settings {
 		LivechatAuth: AuthProviderConfig{
 			Enabled: false,
 		},
-		AuthentikAuth: AuthProviderConfig{
+		GiteaAuth: AuthProviderConfig{
 			Enabled: false,
 		},
-		GiteaAuth: AuthProviderConfig{
+		OIDCAuth: AuthProviderConfig{
+			Enabled: false,
+		},
+		OIDC2Auth: AuthProviderConfig{
+			Enabled: false,
+		},
+		OIDC3Auth: AuthProviderConfig{
 			Enabled: false,
 		},
 	}
@@ -176,8 +188,10 @@ func (s *Settings) Validate() error {
 		validation.Field(&s.StravaAuth),
 		validation.Field(&s.GiteeAuth),
 		validation.Field(&s.LivechatAuth),
-		validation.Field(&s.AuthentikAuth),
 		validation.Field(&s.GiteaAuth),
+		validation.Field(&s.OIDCAuth),
+		validation.Field(&s.OIDC2Auth),
+		validation.Field(&s.OIDC3Auth),
 	)
 }
 
@@ -211,8 +225,6 @@ func (s *Settings) RedactClone() (*Settings, error) {
 		return nil, err
 	}
 
-	mask := "******"
-
 	sensitiveFields := []*string{
 		&clone.Smtp.Password,
 		&clone.S3.Secret,
@@ -235,14 +247,16 @@ func (s *Settings) RedactClone() (*Settings, error) {
 		&clone.StravaAuth.ClientSecret,
 		&clone.GiteeAuth.ClientSecret,
 		&clone.LivechatAuth.ClientSecret,
-		&clone.AuthentikAuth.ClientSecret,
 		&clone.GiteaAuth.ClientSecret,
+		&clone.OIDCAuth.ClientSecret,
+		&clone.OIDC2Auth.ClientSecret,
+		&clone.OIDC3Auth.ClientSecret,
 	}
 
 	// mask all sensitive fields
 	for _, v := range sensitiveFields {
 		if v != nil && *v != "" {
-			*v = mask
+			*v = SecretMask
 		}
 	}
 
@@ -256,21 +270,23 @@ func (s *Settings) NamedAuthProviderConfigs() map[string]AuthProviderConfig {
 	defer s.mux.RUnlock()
 
 	return map[string]AuthProviderConfig{
-		auth.NameGoogle:    s.GoogleAuth,
-		auth.NameFacebook:  s.FacebookAuth,
-		auth.NameGithub:    s.GithubAuth,
-		auth.NameGitlab:    s.GitlabAuth,
-		auth.NameDiscord:   s.DiscordAuth,
-		auth.NameTwitter:   s.TwitterAuth,
-		auth.NameMicrosoft: s.MicrosoftAuth,
-		auth.NameSpotify:   s.SpotifyAuth,
-		auth.NameKakao:     s.KakaoAuth,
-		auth.NameTwitch:    s.TwitchAuth,
-		auth.NameStrava:    s.StravaAuth,
-		auth.NameGitee:     s.GiteeAuth,
-		auth.NameLivechat:  s.LivechatAuth,
-		auth.NameAuthentik: s.AuthentikAuth,
-		auth.NameGitea:     s.GiteaAuth,
+		auth.NameGoogle:     s.GoogleAuth,
+		auth.NameFacebook:   s.FacebookAuth,
+		auth.NameGithub:     s.GithubAuth,
+		auth.NameGitlab:     s.GitlabAuth,
+		auth.NameDiscord:    s.DiscordAuth,
+		auth.NameTwitter:    s.TwitterAuth,
+		auth.NameMicrosoft:  s.MicrosoftAuth,
+		auth.NameSpotify:    s.SpotifyAuth,
+		auth.NameKakao:      s.KakaoAuth,
+		auth.NameTwitch:     s.TwitchAuth,
+		auth.NameStrava:     s.StravaAuth,
+		auth.NameGitee:      s.GiteeAuth,
+		auth.NameLivechat:   s.LivechatAuth,
+		auth.NameGitea:      s.GiteaAuth,
+		auth.NameOIDC:       s.OIDCAuth,
+		auth.NameOIDC + "2": s.OIDC2Auth,
+		auth.NameOIDC + "3": s.OIDC3Auth,
 	}
 }
 
@@ -481,11 +497,11 @@ func (c LogsConfig) Validate() error {
 
 type AuthProviderConfig struct {
 	Enabled      bool   `form:"enabled" json:"enabled"`
-	ClientId     string `form:"clientId" json:"clientId,omitempty"`
-	ClientSecret string `form:"clientSecret" json:"clientSecret,omitempty"`
-	AuthUrl      string `form:"authUrl" json:"authUrl,omitempty"`
-	TokenUrl     string `form:"tokenUrl" json:"tokenUrl,omitempty"`
-	UserApiUrl   string `form:"userApiUrl" json:"userApiUrl,omitempty"`
+	ClientId     string `form:"clientId" json:"clientId"`
+	ClientSecret string `form:"clientSecret" json:"clientSecret"`
+	AuthUrl      string `form:"authUrl" json:"authUrl"`
+	TokenUrl     string `form:"tokenUrl" json:"tokenUrl"`
+	UserApiUrl   string `form:"userApiUrl" json:"userApiUrl"`
 }
 
 // Validate makes `ProviderConfig` validatable by implementing [validation.Validatable] interface.