Add OAuth2 docs

2023-11-25 12:41:01 +08:00 · 2023-11-25 12:41:01 +08:00 · d5bf3e5d1c
parent f2f629e3ee
commit d5bf3e5d1c
5 changed files with 60 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -54,8 +54,7 @@ it tries to authenticate against the specified LDAP server.
 - Admins can invite non ldap users directly (via email). Additionally (``link sharing`` of projects is possible).

 *Important:*
-Sharelatex/Overleaf uses the email address to identify users: If you change the email in the LDAP you have to update the corresponding field 
-in the mongo db.
+Sharelatex/Overleaf uses the email address to identify users: If you change the email in the LDAP/OAuth you have to update the corresponding field in the mongo db.

 ```
 docker exec -it mongo /bin/bash
@ -141,11 +140,47 @@ LDAP_CONTACTS: 'true'

 ### OAuth2 Configuration

-GitHub:
+```
+# Enable OAuth2
+OAUTH2_ENABLED: "true"
+
+# Provider name, optional
+OAUTH2_PROVIDER: YOUR_OAUTH2_PROVIDER
+
+# OAuth2 client configuration, 
+OAUTH2_CLIENT_ID: YOUR_OAUTH2_CLIENT_ID
+OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
+# Scope should at least include email
+OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
+
+# OAuth2 APIs
+# Redirect to OAuth 2.0 url
+OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
+# Content type of authorization request
+# One of ["application/x-www-form-urlencoded", "application/json"]
+# Default "application/x-www-form-urlencoded"
+OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded"
+# Fetch access token api endpoint
+OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
+# Fetch user profile api endpoint
+OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
+
+# OAuth2 user attributes
+# User identity
+OAUTH2_USER_ATTR_EMAIL: email
+# User attributes, only used on the first login
+OAUTH2_USER_ATTR_UID: id
+OAUTH2_USER_ATTR_FIRSTNAME: name
+OAUTH2_USER_ATTR_LASTNAME:
+OAUTH2_USER_ATTR_IS_ADMIN: site_admin
+```
+
+Example configuration for GitHub:

 ```
 OAUTH2_ENABLED: "true"
 OAUTH2_PROVIDER: GitHub
+OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded"
 OAUTH2_CLIENT_ID: YOUR_CLIENT_ID
 OAUTH2_CLIENT_SECRET: YOUR_CLIENT_SECRET
 OAUTH2_SCOPE: # the 'public' scope is sufficient for our needs, so we do not request any more 
@ -159,6 +194,24 @@ OAUTH2_USER_ATTR_LASTNAME:
 OAUTH2_USER_ATTR_IS_ADMIN: site_admin
 ```

+Example configuration for Authentik:
+
+```
+OAUTH2_ENABLED: "true"
+OAUTH2_PROVIDER: GitHub
+OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded"
+OAUTH2_CLIENT_ID: "redacted"
+OAUTH2_CLIENT_SECRET: "redacted"
+OAUTH2_AUTHORIZATION_URL: "https://auth.redacted.domain/application/o/authorize/"
+OAUTH2_TOKEN_URL: "https://auth.redacted.domain/application/o/token/"
+OAUTH2_PROFILE_URL: "https://auth.redacted.domain/application/o/userinfo/"
+OAUTH2_USER_ATTR_EMAIL: "email"
+OAUTH2_USER_ATTR_UID: "email"
+OAUTH2_USER_ATTR_FIRSTNAME: "name"
+#to make it work one should create a custom scope first
+OAUTH2_USER_ATTR_IS_ADMIN: "is_admin"
+```
+
 ### Sharelatex Configuration

 Edit SHARELATEX_ environment variables in [docker-compose.traefik.yml](docker-compose.traefik.yml) or [docker-compose.certbot.yml](docker-compose.certbot.yml) to fit your local setup 
--- a/docker-compose.certbot.yml
+++ b/docker-compose.certbot.yml
@ -88,8 +88,8 @@ services:
      # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
      # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
      # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
-      # OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
      # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
+      # OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
      # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
      # OAUTH2_USER_ATTR_EMAIL: email
      # OAUTH2_USER_ATTR_UID: id
--- a/docker-compose.traefik.yml
+++ b/docker-compose.traefik.yml
@ -169,8 +169,8 @@ services:
      # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
      # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
      # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
-      # OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
      # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
+      # OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
      # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
      # OAUTH2_USER_ATTR_EMAIL: email
      # OAUTH2_USER_ATTR_UID: id
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -86,8 +86,8 @@ services:
      # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
      # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
      # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
-      # OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
      # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
+      # OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
      # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
      # OAUTH2_USER_ATTR_EMAIL: email
      # OAUTH2_USER_ATTR_UID: id
--- a/ldap-overleaf-sl/sharelatex/AuthenticationController.js
+++ b/ldap-overleaf-sl/sharelatex/AuthenticationController.js
@ -300,7 +300,7 @@ const AuthenticationController = {
    }

    try {
-      const contentType = process.env.OAUTH2_AUTHORIZATION_CONTENT_TYPE || 'application/x-www-form-urlencoded'
+      const contentType = process.env.OAUTH2_TOKEN_CONTENT_TYPE || 'application/x-www-form-urlencoded'
      const bodyParams = {
        grant_type: "authorization_code",
        client_id: process.env.OAUTH2_CLIENT_ID,