A few years back, when Twitter finally truly went over the edge into hell, I wrote a post about setting up my Mastodon instance, which uses Keycloak for OIDC auth backed by Domino LDAP for the directory.

In the intervening time, Domino sprouted OIDC provider capabilities and so it's been on my back-burner to switch Mastodon over to use it. Keycloak has been fine for me, but I only use it for OIDC needs, and it'll be all the better to cut down on the number of distinct servers I run. Plus, while Keycloak's Docker container makes it easy to run, I'm much more comfortable with how Domino works, and so it's always nice to use it when I can.

For the most part, slotting Domino into Keycloak's place here was a matter of following the directions in the Domino documentation to set up the provider, which I won't rehash here. There are only really a few things that make it special.

Dynamic Claims

As I mentioned in the original post, I use a special field in my person document called "mastodonusername" to store the name to use for Mastodon. In Keycloak, I mapped that value from LDAP to a claim in the generated JWT, and I'd need to do the same on Domino.

Though there's not a UI for it, towards the end of the 14.5 EA period, HCL added in the ability to specify one field to map from the person document to the token. This is done via notes.ini variables, so I put this in my server's Configuration doc:

1
2

OIDC_PROVIDER_DYNAMIC_CLAIM_FIELD=mastodonusername
OIDC_PROVIDER_DYNAMIC_CLAIM_NAME=mastodonusername

With that in place, the token gets the same "mastodonusername" claim that Keycloak was using, and it'll continue to map my login to the right user in Mastodon.

PKCE

The current proper way to do OIDC is to include PKCE, which was originally designed for mobile apps but can be used with all login flows. Domino's OIDC Provider lets you turn this off as a requirement on a per-client level, but it's still best to include it when possible.

Mastodon doesn't enable PKCE by default, but it made it in as an option a couple versions ago. Enabling it is done via an environment variable, so I added this to the .env file that my Mastodon container uses:

1

OIDC_USE_PKCE=true

And, well, that's it. Now it uses PKCE and all is well.

That's About It

And that's about it! I didn't expect any specific problem, since OIDC is a nice open standard and Domino's implementation hews very closely to best practices, but it's always nice to see things go smoothly in action.