Upgrade Grist, enable OIDC

.env.sample

@@ -17,3 +17,19 @@ GRIST_DEFAULT_EMAIL=grist@example.com
 
 SECRET_GRIST_SESSION_SECRET_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
+
+COMPOSE_FILE="compose.yml"
+
+# OIDC Single Sign On
+# See https://support.getgrist.com/install/oidc/
+#COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
+#GRIST_OIDC_IDP_ISSUER=https://sso.example.com/realm/myrealm/
+#GRIST_OIDC_IDP_CLIENT_ID=something
+#SECRET_GRIST_OIDC_IDP_CLIENT_SECRET_VERSION=v1
+# Optional settings
+#GRIST_OIDC_IDP_SCOPES
+#GRIST_OIDC_SP_HOST
+#GRIST_OIDC_IDP_END_SESSION_ENDPOINT
+#GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT
+#GRIST_OIDC_SP_PROFILE_NAME_ATTR
+#GRIST_OIDC_SP_PROFILE_EMAIL_ATTR

abra.sh

@@ -1 +1 @@
-export ENTRYPOINT_CONF_VERSION=v1
+export ENTRYPOINT_CONF_VERSION=v2

compose.oidc.yml

@@ -0,0 +1,19 @@
+services:
+  app:
+    environment:
+      - GRIST_OIDC_IDP_ISSUER
+      - GRIST_OIDC_IDP_CLIENT_ID
+      - GRIST_OIDC_IDP_CLIENT_SECRET_FILE=/run/secrets/grist_oidc_idp_client_secret
+      - GRIST_OIDC_IDP_SCOPES
+      - GRIST_OIDC_SP_HOST
+      - GRIST_OIDC_IDP_END_SESSION_ENDPOINT
+      - GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT
+      - GRIST_OIDC_SP_PROFILE_NAME_ATTR
+      - GRIST_OIDC_SP_PROFILE_EMAIL_ATTR
+    secrets:
+      - grist_oidc_idp_client_secret
+
+secrets:
+  grist_oidc_idp_client_secret:
+    external: true
+    name: ${STACK_NAME}_grist_oidc_idp_client_secret_${SECRET_GRIST_OIDC_IDP_CLIENT_SECRET_VERSION}

compose.yml

@@ -1,6 +1,6 @@
 services:
   app:
-    image: gristlabs/grist:1.1.7
+    image: gristlabs/grist:1.1.12
     networks:
       - proxy
       - internal
@@ -18,7 +18,7 @@ services:
       - APP_HOME_URL=https://${DOMAIN}
       - APP_DOC_URL=https://${DOMAIN}
       - GRIST_SINGLE_ORG
-      - GRIST_ORG_IN_PATH
+      #- GRIST_ORG_IN_PATH
       - COOKIE_MAX_AGE
       - GRIST_FORCE_LOGIN
       - GRIST_HIDE_UI_ELEMENTS

entrypoint.sh.tmpl

@@ -26,5 +26,6 @@ file_env() {
 
 file_env TYPEORM_PASSWORD
 file_env GRIST_SESSION_SECRET
+file_env GRIST_OIDC_IDP_CLIENT_SECRET
 
 exec ./sandbox/run.sh $@