oauth2.adoc 4.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106
  1. [#oauth2]
  2. = OAuth2
  3. include::partial$earlydoc.adoc[]
  4. OliveTin supports OAuth2 for login with any OAuth2 compliant provider.
  5. At the moment, username fetching is only supported on GitHub. More will be added soon, probably with the addition of OpenID Connect support.
  6. ```yaml
  7. authOAuth2RedirectUrl: http://localhost:1337/oauth/callback
  8. authOAuth2Providers:
  9. github:
  10. clientId: 1234567890
  11. clientSecret: 1234567890
  12. ```
  13. == Provider configuration
  14. * `name` - a "simple name" for the provider, used in the login redirect and internally in OliveTin, e.g. `github`
  15. * `title` - the human-readable name of the provider, e.g. `GitHub`
  16. * `clientId` - the client ID provided by the OAuth2 provider
  17. * `clientSecret` - the client secret provided by the OAuth2 provider
  18. * `icon` - the icon to use for the provider. Accepts any HTML, e.g. `<iconify-icon icon="simple-icons:authentik"></iconify-icon>`
  19. * `scopes` - a list of scopes to request.
  20. * `authUrl` - the URL to redirect to for authentication
  21. * `tokenUrl` - the URL to exchange the code for a token
  22. * `whoamiUrl` - the URL to fetch user information from
  23. * `usernameField` - the field in the user information response to use as the username
  24. * `userGroupField` - the field in the user information response to use as the group. This is a string containing one group name, e.g. `olivetin_group`
  25. * `addToUsergroup` - a group name to add to every user who logs in via this provider. If the user already has a usergroup (e.g. from `userGroupField`), this value is appended to it; otherwise it becomes the user's usergroup. Useful for giving all users from this provider a common group for ACLs, e.g. `addToUsergroup: github`
  26. * `certBundlePath` - the path to a certificate to add to the truststore for authentication requests, e.g. `/certs/internal.crt`
  27. * `insecureSkipVerify` - a boolean to disable certificate verfication
  28. * `connectTimeout` - an integer for seconds until the request will timeout, e.g. `10`
  29. == Built-in providers (`name`)
  30. OliveTin comes with a few built-in providers for convenience. If you are using one of these with a `name`, then you don't need to specify the various URLs, scopes, icon, usernameField, etc. It will be automatically configured for you. You will still need to provide the client ID and client secret.
  31. * `github` - GitHub
  32. * `google` - Google
  33. == AddToUsergroup examples
  34. The `addToUsergroup` option assigns a group to every user who signs in through that OAuth2 provider. You can use it alone, or together with `userGroupField`, so that all users from the provider share a common group for ACLs (e.g. "everyone from GitHub") while still keeping provider-specific groups when available.
  35. === When the provider does not return a group
  36. Some providers (e.g. Google with standard Gmail accounts) do not return a group claim. Users logging in through them get no group, so they do not match any ACLs and end up with no permissions or visible actions. Use `addToUsergroup` to give every user from that provider a default group such as `guest`:
  37. ```yaml
  38. authOAuth2Providers:
  39. google:
  40. clientId: your-client-id
  41. clientSecret: your-client-secret
  42. addToUsergroup: guest
  43. ```
  44. Then ensure an ACL matches that group, for example `matchUsergroups: ["guest"]`, so those users get the intended access.
  45. === All users from a provider in one group
  46. Give every user who logs in via GitHub the group `github` so you can target them in ACLs:
  47. ```yaml
  48. authOAuth2Providers:
  49. github:
  50. clientId: your-client-id
  51. clientSecret: your-client-secret
  52. addToUsergroup: github
  53. ```
  54. Then in your actions you can restrict access with `allowedUserGroups: ["github"]`.
  55. === Combining with userGroupField
  56. If your provider returns a group (e.g. from GitHub org/team or an IdP), use both `userGroupField` and `addToUsergroup`. The provider group is used as the user's group, and `addToUsergroup` is appended so the user belongs to both:
  57. ```yaml
  58. authOAuth2Providers:
  59. github:
  60. clientId: your-client-id
  61. clientSecret: your-client-secret
  62. userGroupField: olivetin_group
  63. addToUsergroup: github
  64. ```
  65. A user with `olivetin_group: admins` will end up in groups `admins` and `github`; a user with no group will get only `github`.
  66. === Multiple providers, shared and per-provider groups
  67. Use different `addToUsergroup` values per provider so you can allow "all OAuth users" or "only GitHub" / "only Google":
  68. ```yaml
  69. authOAuth2Providers:
  70. github:
  71. clientId: github-client-id
  72. clientSecret: github-client-secret
  73. addToUsergroup: github
  74. google:
  75. clientId: google-client-id
  76. clientSecret: google-client-secret
  77. addToUsergroup: google
  78. ```
  79. Then use ACLs such as `allowedUserGroups: ["github"]` for GitHub-only actions or `allowedUserGroups: ["github", "google"]` for any OAuth user.