Updated OpenID Connect OAuth2 (markdown)

Ralf Becker 2020-05-22 11:03:02 +02:00
parent b080d6f43e
commit f10b5b90d6

@ -1,4 +1,4 @@
EGroupware 19.1+ comes with an OpenID Connect / OAuth2 server integrated. ### EGroupware 19.1+ comes with an OpenID Connect / OAuth2 server integrated
This page describes how to authenticate and (optionally) integrate other applications using it. This page describes how to authenticate and (optionally) integrate other applications using it.
@ -9,3 +9,61 @@ This page describes how to authenticate and (optionally) integrate other applica
* User information: https://example.org/egroupware/openid/endpoint.php/userinfo * User information: https://example.org/egroupware/openid/endpoint.php/userinfo
* Public key: https://example.org/egroupware/openid/endpoint.php/jwks * Public key: https://example.org/egroupware/openid/endpoint.php/jwks
> Replace example.org with the full qualified domain-name your EGroupware server uses. > Replace example.org with the full qualified domain-name your EGroupware server uses.
### Supported Grants:
* Authorization Code: user authorized access and get auth-code, server requests access-token via backchannel
* Refresh Token: token to refresh access-token after it's expired
* Client Credentials: server requests access-token without further authorization
* Implicit: user authorized access and get access-token and auth-code, server requests own access-token via backchannel
* Password: other server checks username/password of EGroupware user (not recommended any more, as other server gets the password!)
### Client configuration in EGroupware
> Go to: Admin > Applications > OpenID / OAuth2 server > Clients
### Configuration of tested clients
#### Rocket.Chat custom OAuth configuration
Install Rocket.Chat eg. via [docker-compose](https://rocket.chat/docs/installation/docker-containers/docker-compose/).
You need to create a Client-Identifier and -Secret via Admin >> OpenID / OAuth2 server >> Clients with the following grants:
* Authorization Code
* Refresh Token
* Implicit
Then head in the Rocket.Chat Administration down to OAuth and click [Add custom oauth], give it a name eg. "EGroupware" and add the following values:
```
Enable: True
URL: https://example.org/egroupware/openid/endpoint.php
Token Path: /access_token
Token Send Via: Payload
Identity Token Send Via: Header
Identity Path: /userinfo
Authorize Path: /authorize
Scope: openid email profile roles
Param Name for access token: access_token
Id: <client-id-from-egroupware>
Secret: <client-secret-from-egroupware>
Login Style: Redirect
Button Text: EGroupware users click here
Username field: id
Name field: name
Avatar field: picture
Roles/Groups field name: roles
Merge roles from SSO: True (currently role got lost when rocketchat/status app login to RC api!)
Merge Users: True
```
Then click on [Save changes] to activate login and user creation through EGroupware.
(If Rocket.Chat runs in Docker on a Mac and EGroupware directly on the Mac, use "docker.for.mac.localhost" as hostname, as it is different from localhost!)
If you only want users from EGroupware and no free registration with local passwords, go to Adminstration >> Accounts and set:
```
Show Default Login Form: False
```
### Troubleshooting
* Enable request log under: Admin > Applications > OpenID / OAuth2 server > Request log
> While the log does not record passwords, it contains the issued token and should not left running!
* Free support via [EGroupware Forum](https://help.egroupware.org/) where users help other users and EGroupware GmbH supporters also help to a certain extend
* [EGroupware GmbH offers payed support](https://www.egroupware.org/egroupware-support/) including our OpenID Connect and OAuth2 server