diff --git a/OpenID-Connect----OAuth2.md b/OpenID-Connect----OAuth2.md index 5781264..0ac5d94 100644 --- a/OpenID-Connect----OAuth2.md +++ b/OpenID-Connect----OAuth2.md @@ -1,4 +1,4 @@ -EGroupware 19.1+ comes with an OpenID Connect / OAuth2 server integrated. +### EGroupware 19.1+ comes with an OpenID Connect / OAuth2 server integrated This page describes how to authenticate and (optionally) integrate other applications using it. @@ -9,3 +9,61 @@ This page describes how to authenticate and (optionally) integrate other applica * User information: https://example.org/egroupware/openid/endpoint.php/userinfo * Public key: https://example.org/egroupware/openid/endpoint.php/jwks > Replace example.org with the full qualified domain-name your EGroupware server uses. + +### Supported Grants: +* Authorization Code: user authorized access and get auth-code, server requests access-token via backchannel +* Refresh Token: token to refresh access-token after it's expired +* Client Credentials: server requests access-token without further authorization +* Implicit: user authorized access and get access-token and auth-code, server requests own access-token via backchannel +* Password: other server checks username/password of EGroupware user (not recommended any more, as other server gets the password!) + +### Client configuration in EGroupware +> Go to: Admin > Applications > OpenID / OAuth2 server > Clients + +### Configuration of tested clients + +#### Rocket.Chat custom OAuth configuration + +Install Rocket.Chat eg. via [docker-compose](https://rocket.chat/docs/installation/docker-containers/docker-compose/). + +You need to create a Client-Identifier and -Secret via Admin >> OpenID / OAuth2 server >> Clients with the following grants: +* Authorization Code +* Refresh Token +* Implicit + +Then head in the Rocket.Chat Administration down to OAuth and click [Add custom oauth], give it a name eg. "EGroupware" and add the following values: +``` +Enable: True +URL: https://example.org/egroupware/openid/endpoint.php +Token Path: /access_token +Token Send Via: Payload +Identity Token Send Via: Header +Identity Path: /userinfo +Authorize Path: /authorize +Scope: openid email profile roles +Param Name for access token: access_token +Id: +Secret: +Login Style: Redirect +Button Text: EGroupware users click here +Username field: id +Name field: name +Avatar field: picture +Roles/Groups field name: roles +Merge roles from SSO: True (currently role got lost when rocketchat/status app login to RC api!) +Merge Users: True +``` +Then click on [Save changes] to activate login and user creation through EGroupware. + +(If Rocket.Chat runs in Docker on a Mac and EGroupware directly on the Mac, use "docker.for.mac.localhost" as hostname, as it is different from localhost!) + +If you only want users from EGroupware and no free registration with local passwords, go to Adminstration >> Accounts and set: +``` +Show Default Login Form: False +``` + +### Troubleshooting +* Enable request log under: Admin > Applications > OpenID / OAuth2 server > Request log +> While the log does not record passwords, it contains the issued token and should not left running! +* Free support via [EGroupware Forum](https://help.egroupware.org/) where users help other users and EGroupware GmbH supporters also help to a certain extend +* [EGroupware GmbH offers payed support](https://www.egroupware.org/egroupware-support/) including our OpenID Connect and OAuth2 server