MikolajG/peertube-openid-discord
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
peertube-openid-discord/README.md

95 lines
5 KiB
Markdown
Raw Permalink Blame History

# PeerTube Discord OIDC Bridge
A lightweight, containerized OIDC (OpenID Connect) provider that acts as a bridge between a PeerTube instance and Discord's OAuth2 authentication. This allows users to log in or register on a PeerTube instance using their Discord account, with access gated by membership in a specific Discord server.
## Overview
This project solves a specific problem: PeerTube has a robust, official plugin for OIDC authentication, but not for generic OAuth2 providers like Discord. This service fills that gap by presenting a fully compliant OIDC interface to PeerTube while handling the Discord OAuth2 flow on the backend.
The primary use case is for self-hosted PeerTube instances that are not fully public but need a simple way to grant access to a community of users, such as friends or server members, without manual account creation.
## Features
- **Discord Authentication:** Enables "Login with Discord" for any PeerTube instance.
- **Server Gating:** Restricts login/registration to members of a specific Discord server.
- **OIDC Compliant:** Works seamlessly with the official PeerTube `auth-openid-connect` plugin.
- **Automatic Account Creation:** New users who pass the server gate are automatically given a PeerTube account.
- **Existing Account Linking:** Users with an existing PeerTube account can link it by matching their Discord email.
- **Dockerized:** Runs as a single, lightweight Docker container orchestrated with Docker Compose.
- **Diagnostics Page:** Includes a `/status` page to check configuration and connectivity.
## How It Works
1. A user on PeerTube clicks "Login with OpenID Connect".
2. PeerTube redirects the user to this OIDC Bridge service.
3. The OIDC Bridge service redirects the user to Discord for authentication and authorization.
4. The user authorizes the application in Discord and is redirected back to the bridge.
5. The bridge uses the Discord authorization code to get an access token.
6. It then uses the access token to fetch the user's profile and their list of Discord servers (guilds).
7. The bridge creates a signed **ID Token (JWT)**, inserting the user's server IDs into a `groups` claim.
8. PeerTube receives the ID Token, validates it, and checks if the user's `groups` claim contains the required "Allowed Group" (your Discord Server ID).
9. If the check passes, the user is logged in or their account is created.
## Requirements
- [Docker](https://www.docker.com/get-started)
- [Docker Compose](https://docs.docker.com/compose/install/)
- A PeerTube instance with the `auth-openid-connect` plugin installed and enabled.
## Setup Instructions
### 1. Clone or Create Project Files
Place all the project files (`docker-compose.yml`, `Dockerfile`, `app.py`, `requirements.txt`, `.env`, `templates/status.html`) in a single directory on your server.
### 2. Configure Environment Variables
Create a `.env` file by copying the contents from the Canvas and fill in the following values:
- `OIDC_PROVIDER_URL`: The full, publicly accessible URL of this bridge service (e.g., `http://your-domain.com:5000` or `http://192.168.1.10:5000`). **This cannot be `localhost`** if PeerTube is running on a different machine or in a different Docker network.
- `DISCORD_CLIENT_ID`: Your Client ID from the Discord Developer Portal.
- `DISCORD_CLIENT_SECRET`: Your Client Secret from the Discord Developer Portal.
- `PEERTUBE_CALLBACK_URL`: The full callback URL provided by the PeerTube OIDC plugin settings page. It will look like `https://your-peertube.com/plugins/auth-openid-connect/router/code-cb`.
### 3. Configure Discord Application
In the [Discord Developer Portal](https://discord.com/developers/applications), under your application's "OAuth2" settings:
- Add a **Redirect URI** that matches the bridge's callback endpoint: `http://<your-domain-or-ip>:5000/discord/callback`.
### 4. Configure PeerTube Plugin
On your PeerTube instance, navigate to **Administration -> Plugins/Themes -> auth-openid-connect -> Settings** and configure it as follows:
- **Discover URL:** `http://<your-domain-or-ip>:5000/.well-known/openid-configuration`
- **Client ID:** `peertube`
- **Client secret:** `peertube-super-secret`
- **Scope:** `openid email profile groups`
- **Username property:** `preferred_username`
- **Email property:** `email`
- **Display name property:** `name`
- **Group property:** `groups`
- **Allowed group:** Your specific Discord Server ID.
## Running the Service
From the project directory, run the following command:
```bash
docker-compose up --build -d
```
The -d flag runs the container in detached mode (in the background).
Troubleshooting
You can check the health and configuration of the bridge service by navigating to its status page:
http://<your-domain-or-ip>:5000/status
This page will show the status of environment variables, connectivity to the Discord API, and a log of the most recent incoming requests from your PeerTube instance, which is invaluable for debugging the connection.
To view live logs from the container, run:
```bash
docker-compose logs -f
```
Reference in a new issue View git blame Copy permalink