- Sponsor
-
Notifications
You must be signed in to change notification settings - Fork 29
Providers
This page documents the setup at the OIDC provider.
Expand
- Sign in to your admin account on the tenant.
- Navigate to the App registrations page in the Azure AD admin center.
- Click on the
New registration
button to start the process of registering a new application. - Enter a unique name for your application in the
Name
field. - In the
Supported account types
section, select the appropriate option based on your requirements. If unsure, leave the default value selected. - For the
Redirect URI
, selectWeb
from the dropdown menu and input the public endpoint of youropenvpn-auth-oauth2
instance. For example,https://openvpn-auth-oauth2.example.com/oauth2/callback
. - Click on the
Register
button to create the application. - Once the application is created, navigate to the
Certificates & secrets
section on the left-hand side menu. - In the
Client secrets
tab, click onNew client secret
to generate a new secret for your application. - Copy the generated client secret. This will be used as a configuration option for
openvpn-auth-oauth2
. - Navigate to the
Token configuration
section on the left-hand side menu. - Click on
Add optional claim
to add a new claim to your tokens. - In the right panel, select
ID
as the token type. - From the list of available claims, select
ipaddr
. - Click on
Add
to include this claim in your tokens.
References:
- https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
- https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
env/sysconfig configuration |
CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/$TENANT_ID/v2.0
CONFIG_OAUTH2_CLIENT_ID=<client_id>
CONFIG_OAUTH2_CLIENT_SECRET=<client_secret>
# The scopes openid profile are required, but configured by default.
# offline_access is required for non-interactive session refresh.
# CONFIG_OAUTH2_SCOPES=openid profile offline_access |
yaml configuration |
oauth2:
issuer: "https://login.microsoftonline.com/$TENANT_ID/v2.0"
client:
id: "<client_id>"
secret: "<client_secret>"
# The scopes openid profile are required, but configured by default.
# offline_access is required for non-interactive session refresh.
#scopes:
# - "openid"
# - "profile"
# - "offline_access"
|
Restrict login based on groups can be configured inside the App Registration directly. This is preferred. Users get the notice from Azure that they aren’t part of the group, and the login is denied.
How require multiple groups, check you could define CONFIG_OAUTH2_VALIDATE_GROUPS
.
Expand
- Login as admin into your Google console.
- In the project Dashboard center pane, choose "APIs & Services".
- If necessary, complete the
OAuth consent screen
wizard. You will probably want to create anInternal
application.- If you reuse an existing application, your users may already have given consent for the usage of this application, which may not include refresh tokens.
- In the left Nav pane, choose "Credentials".
- In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.
- In the center pane, choose "Credentials" tab.
- Open the "New credentials"** drop down
- Choose "OAuth client ID"
- Choose "Web application"
- Application name is freeform, choose something appropriate
- Authorized redirect URIs is the location of oauth2/callback ex: https://yourdomain:9000/oauth2/callback
- Choose "Create"
- Take note of the Client ID and Client Secret.
- Navigate to the Google Cloud Identity API page and click on the "Enable API" button.
- Access the Google Admin Portal and locate the group that is required for the
openvpn-auth-oauth2
authorization. - The URL of the group page should follow this pattern:
https://admin.google.com/ac/groups/<ID>
. Replace<ID>
with the actual ID of the group. Make sure to copy this ID for future use. If there are multiple groups, repeat this step for each one. - Insert the copied ID(s) into the
CONFIG_OAUTH2_VALIDATE_GROUPS
configuration setting in youropenvpn-auth-oauth2
setup. -
Optional: If oauth2 scopes are set in the configuration, the
https://www.googleapis.com/auth/cloud-identity.groups.readonly
scope is required for group validation.
Set the following variables in your openvpn-auth-oauth2 configuration file:
env/sysconfig configuration |
CONFIG_OAUTH2_PROVIDER=google
CONFIG_OAUTH2_ISSUER=https://accounts.google.com
CONFIG_OAUTH2_CLIENT_ID=162738495-xxxxx.apps.googleusercontent.com
CONFIG_OAUTH2_CLIENT_SECRET=GOCSPX-xxxxxxxx
# The scopes openid profile email are required, but configured by default.
# https://www.googleapis.com/auth/cloud-identity.groups.readonly is mandatory for group validation.
# Enabled by default, if scopes aren't set in the config.
#CONFIG_OAUTH2_SCOPES=openid profile email https://www.googleapis.com/auth/cloud-identity.groups.readonly
#CONFIG_OAUTH2_VALIDATE_GROUPS=03x8tuzt3hqdv5v |
yaml configuration |
oauth2:
provider: "google"
issuer: "https://accounts.google.com"
client:
id: "162738495-xxxxx.apps.googleusercontent.com"
secret: "GOCSPX-xxxxxxxx"
# The scopes openid profile email are required, but configured by default.
# https://www.googleapis.com/auth/cloud-identity.groups.readonly is mandatory for group validation.
# Enabled by default, if scopes aren't set in the config.
#scopes:
# - "openid"
# - "profile"
# - "email"
# - "https://www.googleapis.com/auth/cloud-identity.groups.readonly"
validate:
groups:
- "03x8tuzt3hqdv5v" |
If oauth2.refresh.enabled
is set to true
, Google SSO will always ask for permission grant. On technical side,
this is because the approval_prompt=force
is set on URL to obtain a refresh token. openvpn-auth-oauth2 requires a
refresh token to validate the user on re-auth.
To avoid this, you can set oauth2.refresh.validate-user
to false
. Read more about this in the Configuration page.
Expand
- Sign in to your admin account on the Keycloak admin console.
- Choose an existing realm or create a new one.
- Create a new client:
- Set the Client ID as
openvpn-auth-oauth2
. - Set the Client Type as
OpenID Connect
. - Name the client as
openvpn-auth-oauth2
.
- Set the Client ID as
- In the capability configuration page, enable 'Client authentication' and 'Standard flow' for the Authentication flow. Make sure 'Authorization' is turned off.
- In the login settings page, set the following values:
- Root URL:
https://openvpn-auth-oauth2.example.com
- Valid Redirect URIs:
https://openvpn-auth-oauth2.example.com/oauth2/callback
- Web Origins:
https://openvpn-auth-oauth2.example.com
- Click 'Save'.
- Root URL:
- Navigate to the 'Credentials' tab and note down the Client ID and Client Secret.
Set the following variables in your openvpn-auth-oauth2
configuration file:
env/sysconfig configuration |
CONFIG_OAUTH2_ISSUER=https://<keycloak-domain>/auth/realms/<realm-name>
CONFIG_OAUTH2_CLIENT_ID=<client_id>
CONFIG_OAUTH2_CLIENT_SECRET=<client_secret>
# The scopes openid profile are required, but configured by default.
# offline_access is required for non-interactive session refresh.
# CONFIG_OAUTH2_SCOPES=openid profile offline_access |
yaml configuration |
oauth2:
issuer: "https://<keycloak-domain>/auth/realms/<realm-name>"
client:
id: "<client_id>"
secret: "<client_secret>"
# The scopes openid profile are required, but configured by default.
# offline_access is required for non-interactive session refresh.
#scopes:
# - "openid"
# - "profile"
# - "offline_access"
|
openvpn-auth-oauth2 expects roles to be passed in the roles
claim of the JWT token.
If you are using Keycloak, you can map the roles to the roles
claim in the token. To do this, follow these steps:
- Sign in to your admin account on the Keycloak admin console.
- On the left-hand side menu, navigate to
Client scopes
. - Click on
Roles
. - In the
Mappers
tab, selectclient roles
. - Set
Token Claim Name
fromresource_access.${client_id}.roles
toroles
- Set
Add to ID token
toON
- Click
Save
- In the
Mappers
tab, selectrealm roles
. - Set
Token Claim Name
fromresource_access.${client_id}.roles
toroles
- Set
Add to ID token
toON
- Click
Save
Currently, there is no known configuration to enrich the token with the client's IP address in Keycloak. If you know how to do this, please contribute to the documentation.
Expand
A user must explicitly request an organization give openvpn-auth-oauth2 resource access. openvpn-auth-oauth2 will not have the correct permissions to determine if the user is in that organization otherwise, and the user will not be able to log in. This request mechanism is a feature of the GitHub API.
In GitHub, register a new application. The callback address should be the /oauth2/callback endpoint of your openvpn-auth-oauth2 URL (e.g. https://login.example.com/oauth2/callback).
After registering the app, you will receive an OAuth2 client ID and secret. These values will be inputted into the configuration below.
env/sysconfig configuration |
CONFIG_OAUTH2_PROVIDER=github
CONFIG_OAUTH2_ISSUER=https://github.com
CONFIG_OAUTH2_CLIENT_ID=<client_id>
CONFIG_OAUTH2_CLIENT_SECRET=<client_secret>
CONFIG_OAUTH2_VALIDATE_GROUPS=your_github_org_name
CONFIG_OAUTH2_VALIDATE_ROLES=your_github_org_name:team_name |
yaml configuration |
oauth2:
provider: "github"
issuer: "https://github.com"
client:
id: "<client_id>"
secret: "<client_secret>"
validate:
groups: "your_github_org_name"
roles: "your_github_org_name:team_name" |
Expand
Developers must register their application to use OAuth. A registered application is assigned a client ID and client secret. The client secret should be kept confidential, and only used between the application and the DigitalOcean authorization server https://cloud.digitalocean.com/v1/oauth.
env/sysconfig configuration |
CONFIG_OAUTH2_ISSUER=https://cloud.digitalocean.com/
CONFIG_OAUTH2_SCOPES=read
CONFIG_OAUTH2_CLIENT_ID=<client_id>
CONFIG_OAUTH2_CLIENT_SECRET=<client_secret>
CONFIG_OAUTH2_ENDPOINT_TOKEN=https://cloud.digitalocean.com/v1/oauth/token
CONFIG_OAUTH2_ENDPOINT_AUTH=https://cloud.digitalocean.com/v1/oauth/authorize |
yaml configuration |
oauth2:
issuer: "https://cloud.digitalocean.com/"
scopes:
- "read"
client:
id: "<client_id>"
secret: "<client_secret>"
endpoints:
token: "https://cloud.digitalocean.com/v1/oauth/token"
auth: "https://cloud.digitalocean.com/v1/oauth/authorize" |
Expand
- Create a project in Zitadel
- Create a new application in a project
- Enter name and choose a web type
- Authentication method: POST
- Redirect URL: http://:9000/oauth2/callback
- Save Client ID and Client Secret to use below
After creating application, on page URLs you can find all links that you need.
env/sysconfig configuration |
CONFIG_OAUTH2_ISSUER=https://company.zitadel.cloud
CONFIG_OAUTH2_CLIENT_ID=<client_id>
CONFIG_OAUTH2_CLIENT_SECRET=<client_secret>
# The scopes openid profile email are required, but configured by default.
# offline_access is required for non-interactive session refresh.
#CONFIG_OAUTH2_SCOPES=openid profile email offline_access |
yaml configuration |
oauth2:
issuer: "https://company.zitadel.cloud"
client:
id: "<client_id>"
secret: "<client_secret>"
# The scopes openid profile are required, but configured by default.
# offline_access is required for non-interactive session refresh.
#scopes:
# - "openid"
# - "profile"
# - "email"
# - "offline_access" |
This wiki is synced with the docs
folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.