From ef73fbbd457473a8fccacb27c423da2439f7b6ef Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 10 Feb 2024 01:12:24 +0100
Subject: [PATCH] docs(mastodon): Explain SSO enforcement

---
 docs/src/apps/mastodon.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/docs/src/apps/mastodon.md b/docs/src/apps/mastodon.md
index 8f9dce0c0..82774fc96 100644
--- a/docs/src/apps/mastodon.md
+++ b/docs/src/apps/mastodon.md
@@ -4,4 +4,10 @@ Mastodon is the Fediverse software run in the Shivering-Isles infrastructure. It
 
 <iframe src="https://www.youtube-nocookie.com/embed/IPSbNdBmWKE" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
 
-The instance is currently deployed using a [helm chart](../charts/mastodon.md) maintained as part of the GitOps repository.
\ No newline at end of file
+The instance is currently deployed using a [helm chart](../charts/mastodon.md) maintained as part of the GitOps repository.
+
+## SSO Enforcement
+
+Since Mastodon itself has no configuration to enforce the presence of specific claims or roles, an oauth-proxy setup in front of the `/auth/` section preventing clients from reaching the callback URL for OIDC authentication, without passing through the oauth2-proxy which can enforce the presence of a role.
+
+While the result in a double redirect to OIDC, once by the oauth2-proxy and once by Mastodon itself, it makes sure that there is proper enforcement of the roles without requiring modification of Mastodon.
\ No newline at end of file
-- 
GitLab