Add OAuth2 docs

README.md

@@ -54,8 +54,7 @@ it tries to authenticate against the specified LDAP server.
 - Admins can invite non ldap users directly (via email). Additionally (``link sharing`` of projects is possible).
 
 *Important:*
-Sharelatex/Overleaf uses the email address to identify users: If you change the email in the LDAP you have to update the corresponding field 
+Sharelatex/Overleaf uses the email address to identify users: If you change the email in the LDAP/OAuth you have to update the corresponding field in the mongo db.
-in the mongo db.
 
 ```
 docker exec -it mongo /bin/bash
@@ -141,11 +140,47 @@ LDAP_CONTACTS: 'true'
 
 ### OAuth2 Configuration
 
-GitHub:
+```
+# Enable OAuth2
+OAUTH2_ENABLED: "true"
+
+# Provider name, optional
+OAUTH2_PROVIDER: YOUR_OAUTH2_PROVIDER
+
+# OAuth2 client configuration, 
+OAUTH2_CLIENT_ID: YOUR_OAUTH2_CLIENT_ID
+OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
+# Scope should at least include email
+OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
+
+# OAuth2 APIs
+# Redirect to OAuth 2.0 url
+OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
+# Content type of authorization request
+# One of ["application/x-www-form-urlencoded", "application/json"]
+# Default "application/x-www-form-urlencoded"
+OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded"
+# Fetch access token api endpoint
+OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
+# Fetch user profile api endpoint
+OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
+
+# OAuth2 user attributes
+# User identity
+OAUTH2_USER_ATTR_EMAIL: email
+# User attributes, only used on the first login
+OAUTH2_USER_ATTR_UID: id
+OAUTH2_USER_ATTR_FIRSTNAME: name
+OAUTH2_USER_ATTR_LASTNAME:
+OAUTH2_USER_ATTR_IS_ADMIN: site_admin
+```
+
+Example configuration for GitHub:
 
 ```
 OAUTH2_ENABLED: "true"
 OAUTH2_PROVIDER: GitHub
+OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded"
 OAUTH2_CLIENT_ID: YOUR_CLIENT_ID
 OAUTH2_CLIENT_SECRET: YOUR_CLIENT_SECRET
 OAUTH2_SCOPE: # the 'public' scope is sufficient for our needs, so we do not request any more 
@@ -159,6 +194,24 @@ OAUTH2_USER_ATTR_LASTNAME:
 OAUTH2_USER_ATTR_IS_ADMIN: site_admin
 ```
 
+Example configuration for Authentik:
+
+```
+OAUTH2_ENABLED: "true"
+OAUTH2_PROVIDER: GitHub
+OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded"
+OAUTH2_CLIENT_ID: "redacted"
+OAUTH2_CLIENT_SECRET: "redacted"
+OAUTH2_AUTHORIZATION_URL: "https://auth.redacted.domain/application/o/authorize/"
+OAUTH2_TOKEN_URL: "https://auth.redacted.domain/application/o/token/"
+OAUTH2_PROFILE_URL: "https://auth.redacted.domain/application/o/userinfo/"
+OAUTH2_USER_ATTR_EMAIL: "email"
+OAUTH2_USER_ATTR_UID: "email"
+OAUTH2_USER_ATTR_FIRSTNAME: "name"
+#to make it work one should create a custom scope first
+OAUTH2_USER_ATTR_IS_ADMIN: "is_admin"
+```
+
 ### Sharelatex Configuration
 
 Edit SHARELATEX_ environment variables in [docker-compose.traefik.yml](docker-compose.traefik.yml) or [docker-compose.certbot.yml](docker-compose.certbot.yml) to fit your local setup 

docker-compose.certbot.yml

@@ -88,8 +88,8 @@ services:
       # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
       # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
       # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
-      # OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
       # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
+      # OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
       # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
       # OAUTH2_USER_ATTR_EMAIL: email
       # OAUTH2_USER_ATTR_UID: id

docker-compose.traefik.yml

@@ -169,8 +169,8 @@ services:
       # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
       # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
       # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
-      # OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
       # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
+      # OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
       # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
       # OAUTH2_USER_ATTR_EMAIL: email
       # OAUTH2_USER_ATTR_UID: id

docker-compose.yml

@@ -86,8 +86,8 @@ services:
       # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
       # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
       # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
-      # OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
       # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
+      # OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
       # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
       # OAUTH2_USER_ATTR_EMAIL: email
       # OAUTH2_USER_ATTR_UID: id

ldap-overleaf-sl/sharelatex/AuthenticationController.js

@@ -300,7 +300,7 @@ const AuthenticationController = {
     }
 
     try {
-      const contentType = process.env.OAUTH2_AUTHORIZATION_CONTENT_TYPE || 'application/x-www-form-urlencoded'
+      const contentType = process.env.OAUTH2_TOKEN_CONTENT_TYPE || 'application/x-www-form-urlencoded'
       const bodyParams = {
         grant_type: "authorization_code",
         client_id: process.env.OAUTH2_CLIENT_ID,