<% oidc_apps = applications.select(&:oidc?) %> <% forward_auth_apps = applications.select(&:forward_auth?) %> <% if oidc_apps.any? %>

OIDC App-Specific Claims

Configure custom claims that apply only to specific OIDC applications. These override both group and user global claims and are included in ID tokens.

<% oidc_apps.each do |app| %> <% app_claim = user.application_user_claims.find_by(application: app) %>
>
<%= app.name %> OIDC <% if app_claim&.custom_claims&.any? %> <%= app_claim.custom_claims.keys.count %> claim(s) <% end %>
<%= form_with url: update_application_claims_admin_user_path(user), method: :post, class: "space-y-4", data: { controller: "json-validator" } do |form| %> <%= hidden_field_tag :application_id, app.id %>
<%= text_area_tag :custom_claims, (app_claim&.custom_claims.present? ? JSON.pretty_generate(app_claim.custom_claims) : ""), rows: 8, class: "w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono", placeholder: '{"kavita_groups": ["admin"], "library_access": "all"}', data: { action: "input->json-validator#validate blur->json-validator#format", json_validator_target: "textarea" } %>

Example for <%= app.name %>: Add claims that this app specifically needs to read.

Note: Do not use reserved claim names (groups, email, name, etc.). Use app-specific names like kavita_groups instead.

<%= button_tag type: :submit, class: "rounded-md bg-blue-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-blue-500" do %> <%= app_claim ? "Update" : "Add" %> Claims <% end %> <% if app_claim %> <%= button_to "Remove Override", delete_application_claims_admin_user_path(user, application_id: app.id), method: :delete, data: { turbo_confirm: "Remove app-specific claims for #{app.name}?" }, class: "rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %> <% end %>
<% end %>

Preview: Final ID Token Claims for <%= app.name %>

<%= JSON.pretty_generate(preview_user_claims(user, app)) %>
Show claim sources
<% claim_sources(user, app).each do |source| %>
<%= source[:name] %> <%= source[:claims].to_json %>
<% end %>
<% end %>
<% end %> <% if forward_auth_apps.any? %>

ForwardAuth Headers Preview

ForwardAuth applications receive HTTP headers (not OIDC tokens). Headers are based on user's email, name, groups, and admin status.

<% forward_auth_apps.each do |app| %>
<%= app.name %> FORWARD AUTH <%= app.domain_pattern %>

Headers Sent to <%= app.name %>

<% headers = app.headers_for_user(user) %> <% if headers.any? %>
<% headers.each do |header_name, value| %>
<%= header_name %>:
<%= value %>
<% end %>
<% else %>

All headers disabled for this application.

<% end %>

These headers are configured in the application settings and sent by your reverse proxy (Caddy/Traefik) to the upstream application.

<% if user.groups.any? %>

User's Groups

<% user.groups.each do |group| %> <%= group.name %> <% end %>
<% end %>
<% end %>
<% end %> <% if oidc_apps.empty? && forward_auth_apps.empty? %>

No active applications found.

Create applications in the Admin panel first.

<% end %>