Added environment variables to OpenID page (#650)

Added environment variables to OpenID page --------- Co-authored-by: Ruben Olsen Lærk <ruben@lku.no> Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
actualbudget · Mar 5, 2025 · ad53fcb · ad53fcb
1 parent 1bd2964
commit ad53fcb
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 1 deletion.
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -97,3 +97,4 @@ VUB
 websecure
 WOR
 youngcw
+OIDC
diff --git a/docs/experimental/oauth-auth.md b/docs/experimental/oauth-auth.md
@@ -115,6 +115,55 @@ When setup is done, you will be redirected to the _login_ page:
 
 ![](/static/img/oauth/first-login.png)
 
+### Environment Variables
+
+#### `ACTUAL_OPENID_DISCOVERY_URL`
+- **Purpose:** If your OpenID provider supports discovery, this is the URL where discovery metadata can be found.  
+**Example Value:** `https://provider.tld/.well-known/openid-configuration`
+
+#### `ACTUAL_OPENID_CLIENT_ID`
+- **Purpose:** The client ID issued by your OpenID provider.  
+**Example Value:** `my-actual-app`
+
+#### `ACTUAL_OPENID_CLIENT_SECRET`
+- **Purpose:** The client secret issued by your OpenID provider.  
+**Example Value:** `super-secret-value`
+
+#### `ACTUAL_OPENID_SERVER_HOSTNAME`
+- **Purpose:** The public URL of your Actual Server, which the provider redirects to after authentication.  
+**Example Value:** `https://actual.myserver.com`
+
+#### `ACTUAL_OPENID_AUTHORIZATION_ENDPOINT`
+- **Purpose:** Provider’s authorization endpoint (for providers that don’t support discovery).  
+**Example Value:** `https://provider.com/oauth2/authorize`
+
+#### `ACTUAL_OPENID_TOKEN_ENDPOINT`
+- **Purpose:** Provider’s token endpoint (for providers that don’t support discovery).  
+**Example Value:** `https://provider.com/oauth2/token`
+
+#### `ACTUAL_OPENID_USERINFO_ENDPOINT`
+- **Purpose:** Provider’s user-info endpoint (for providers that don’t support discovery).  
+**Example Value:** `https://provider.com/oauth2/userinfo`
+
+#### `ACTUAL_OPENID_AUTH_METHOD`
+- **Purpose:** Tells the server whether it should use the OpenID (OIDC) or a more general OAuth2 flow.  
+**Possible Values:** 
+  - `openid` (default)  
+  - `oauth2`  
+
+**Tip:** Use `oauth2` for providers like GitHub that don’t fully support OpenID discovery.
+
+#### `ACTUAL_OPENID_ENFORCE`
+- **Purpose:** Forces OpenID/OAuth2 authentication as the only allowed login method when set to `true`.  
+**Example Value:** `true` or `false` (default is `false`)
+
+#### `ACTUAL_TOKEN_EXPIRATION`
+- **Purpose:** Controls how access tokens expire.  
+**Possible Values:**  
+  - `"never"` (tokens never expire - **current default**)  
+  - `"openid-provider"` (tokens follow the expiration time from the OpenID provider)  
+  - A numeric value in seconds (e.g., `3600` for 1 hour)
+
+
 :::tip
 Configuring the OpenID provider from options supports discovery; otherwise, use [file configuration](oauth-auth#config-using-configuration-file)
-:::
-Original file line number
+Diff line change
@@ Expand Up / @@ -97,3 +97,4 @@ VUB @@
     websecure
     WOR
     youngcw
+    OIDC