Seafile supports OIDC authentication through its Seahub frontend.

In order to enable OIDC, you may add the following settings to your seahub_settings.py file.

# Authentication
ENABLE_OAUTH = True
OAUTH_ENABLE_INSECURE_TRANSPORT = True
OAUTH_CLIENT_ID = "{{ service.config["client_id"] }}"
OAUTH_CLIENT_SECRET = "{{ service.config["client_secret"] }}"
OAUTH_REDIRECT_URL = "{{ service.config["redirect_uris"][0] }}"
OAUTH_PROVIDER_DOMAIN = "{{ url_for('account.home', _external=True).split(':')[1].split('/')[0] }}"
OAUTH_AUTHORIZATION_URL = "{{ url_for("sso.oidc_authorize", service_uuid=service.uuid, _external=True) }}"
OAUTH_TOKEN_URL = "{{ url_for("sso.oidc_token", service_uuid=service.uuid, _external=True) }}"
OAUTH_USER_INFO_URL = "{{ url_for("sso.oidc_userinfo", service_uuid=service.uuid, _external=True) }}"
OAUTH_SCOPE = ["openid", "profile", "email"]
OAUTH_ATTRIBUTE_MAP = {
    "id": (False, "no_destination"),
    "name": (True, "name"),
    "email": (True, "email")
}

Migrating accounts

If you are running an existing Seafile server, you may import your existing accounts as claimable profiles under Hiboo.

Accounts are stored in the EmailUser table of the ccnet_db database. However, we recommend that profiles be named after the username instead of the email address. The following SQL query exports username, password hash, and user email as alternate claim to a CSV file. It dynamically converts the password to use a proper crypt context hash identifier, so that Hiboo will recognize the hash.

select
  profile.nickname,
  user.email,
  CONCAT('$pbkdf2-sha256$10000$', SUBSTRING(TO_BASE64(UNHEX(SUBSTRING(user.passwd,20,64))),1,43), '$', SUBSTRING(TO_BASE64(UNHEX(SUBSTRING(user.passwd,85,64))),1,43)) as password
from
  ccnet_db.EmailUser as user
left join
  seahub_db.profile_profile as profile
on
  profile.user=user.email
into
  outfile '/tmp/users.csv'
fields terminated by ',';

Please grab the exported CSV file, copy it next to Hiboo, and run the following command to import these profiles as unclaimed:

flask profile csv-unclaimed {{ service.uuid }} /tmp/users.csv

{% include "application_oidc.html" %}