From d5bf3e5d1c8111319d6c6271dad82b9358ba6bd2 Mon Sep 17 00:00:00 2001 From: yzx9 Date: Sat, 25 Nov 2023 12:41:01 +0800 Subject: [PATCH] Add OAuth2 docs --- README.md | 59 ++++++++++++++++++- docker-compose.certbot.yml | 2 +- docker-compose.traefik.yml | 2 +- docker-compose.yml | 2 +- .../sharelatex/AuthenticationController.js | 2 +- 5 files changed, 60 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 8cc92a8..6e83d49 100644 --- a/README.md +++ b/README.md @@ -54,8 +54,7 @@ it tries to authenticate against the specified LDAP server. - Admins can invite non ldap users directly (via email). Additionally (``link sharing`` of projects is possible). *Important:* -Sharelatex/Overleaf uses the email address to identify users: If you change the email in the LDAP you have to update the corresponding field -in the mongo db. +Sharelatex/Overleaf uses the email address to identify users: If you change the email in the LDAP/OAuth you have to update the corresponding field in the mongo db. ``` docker exec -it mongo /bin/bash @@ -141,11 +140,47 @@ LDAP_CONTACTS: 'true' ### OAuth2 Configuration -GitHub: +``` +# Enable OAuth2 +OAUTH2_ENABLED: "true" + +# Provider name, optional +OAUTH2_PROVIDER: YOUR_OAUTH2_PROVIDER + +# OAuth2 client configuration, +OAUTH2_CLIENT_ID: YOUR_OAUTH2_CLIENT_ID +OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET +# Scope should at least include email +OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE + +# OAuth2 APIs +# Redirect to OAuth 2.0 url +OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL +# Content type of authorization request +# One of ["application/x-www-form-urlencoded", "application/json"] +# Default "application/x-www-form-urlencoded" +OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded" +# Fetch access token api endpoint +OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL +# Fetch user profile api endpoint +OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL + +# OAuth2 user attributes +# User identity +OAUTH2_USER_ATTR_EMAIL: email +# User attributes, only used on the first login +OAUTH2_USER_ATTR_UID: id +OAUTH2_USER_ATTR_FIRSTNAME: name +OAUTH2_USER_ATTR_LASTNAME: +OAUTH2_USER_ATTR_IS_ADMIN: site_admin +``` + +Example configuration for GitHub: ``` OAUTH2_ENABLED: "true" OAUTH2_PROVIDER: GitHub +OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded" OAUTH2_CLIENT_ID: YOUR_CLIENT_ID OAUTH2_CLIENT_SECRET: YOUR_CLIENT_SECRET OAUTH2_SCOPE: # the 'public' scope is sufficient for our needs, so we do not request any more @@ -159,6 +194,24 @@ OAUTH2_USER_ATTR_LASTNAME: OAUTH2_USER_ATTR_IS_ADMIN: site_admin ``` +Example configuration for Authentik: + +``` +OAUTH2_ENABLED: "true" +OAUTH2_PROVIDER: GitHub +OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded" +OAUTH2_CLIENT_ID: "redacted" +OAUTH2_CLIENT_SECRET: "redacted" +OAUTH2_AUTHORIZATION_URL: "https://auth.redacted.domain/application/o/authorize/" +OAUTH2_TOKEN_URL: "https://auth.redacted.domain/application/o/token/" +OAUTH2_PROFILE_URL: "https://auth.redacted.domain/application/o/userinfo/" +OAUTH2_USER_ATTR_EMAIL: "email" +OAUTH2_USER_ATTR_UID: "email" +OAUTH2_USER_ATTR_FIRSTNAME: "name" +#to make it work one should create a custom scope first +OAUTH2_USER_ATTR_IS_ADMIN: "is_admin" +``` + ### Sharelatex Configuration Edit SHARELATEX_ environment variables in [docker-compose.traefik.yml](docker-compose.traefik.yml) or [docker-compose.certbot.yml](docker-compose.certbot.yml) to fit your local setup diff --git a/docker-compose.certbot.yml b/docker-compose.certbot.yml index b08ee8f..4fc6365 100644 --- a/docker-compose.certbot.yml +++ b/docker-compose.certbot.yml @@ -88,8 +88,8 @@ services: # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL - # OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json'] # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL + # OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json'] # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL # OAUTH2_USER_ATTR_EMAIL: email # OAUTH2_USER_ATTR_UID: id diff --git a/docker-compose.traefik.yml b/docker-compose.traefik.yml index 22a96f0..7ec5fb6 100644 --- a/docker-compose.traefik.yml +++ b/docker-compose.traefik.yml @@ -169,8 +169,8 @@ services: # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL - # OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json'] # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL + # OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json'] # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL # OAUTH2_USER_ATTR_EMAIL: email # OAUTH2_USER_ATTR_UID: id diff --git a/docker-compose.yml b/docker-compose.yml index d7a6b5c..123f84a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -86,8 +86,8 @@ services: # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL - # OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json'] # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL + # OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json'] # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL # OAUTH2_USER_ATTR_EMAIL: email # OAUTH2_USER_ATTR_UID: id diff --git a/ldap-overleaf-sl/sharelatex/AuthenticationController.js b/ldap-overleaf-sl/sharelatex/AuthenticationController.js index 28b6960..96c878a 100644 --- a/ldap-overleaf-sl/sharelatex/AuthenticationController.js +++ b/ldap-overleaf-sl/sharelatex/AuthenticationController.js @@ -300,7 +300,7 @@ const AuthenticationController = { } try { - const contentType = process.env.OAUTH2_AUTHORIZATION_CONTENT_TYPE || 'application/x-www-form-urlencoded' + const contentType = process.env.OAUTH2_TOKEN_CONTENT_TYPE || 'application/x-www-form-urlencoded' const bodyParams = { grant_type: "authorization_code", client_id: process.env.OAUTH2_CLIENT_ID,