mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-25 01:13:25 +01:00
Updated OpenID Connect OAuth2 (markdown)
parent
b080d6f43e
commit
f10b5b90d6
@ -1,4 +1,4 @@
|
||||
EGroupware 19.1+ comes with an OpenID Connect / OAuth2 server integrated.
|
||||
### EGroupware 19.1+ comes with an OpenID Connect / OAuth2 server integrated
|
||||
|
||||
This page describes how to authenticate and (optionally) integrate other applications using it.
|
||||
|
||||
@ -9,3 +9,61 @@ This page describes how to authenticate and (optionally) integrate other applica
|
||||
* User information: https://example.org/egroupware/openid/endpoint.php/userinfo
|
||||
* Public key: https://example.org/egroupware/openid/endpoint.php/jwks
|
||||
> Replace example.org with the full qualified domain-name your EGroupware server uses.
|
||||
|
||||
### Supported Grants:
|
||||
* Authorization Code: user authorized access and get auth-code, server requests access-token via backchannel
|
||||
* Refresh Token: token to refresh access-token after it's expired
|
||||
* Client Credentials: server requests access-token without further authorization
|
||||
* Implicit: user authorized access and get access-token and auth-code, server requests own access-token via backchannel
|
||||
* Password: other server checks username/password of EGroupware user (not recommended any more, as other server gets the password!)
|
||||
|
||||
### Client configuration in EGroupware
|
||||
> Go to: Admin > Applications > OpenID / OAuth2 server > Clients
|
||||
|
||||
### Configuration of tested clients
|
||||
|
||||
#### Rocket.Chat custom OAuth configuration
|
||||
|
||||
Install Rocket.Chat eg. via [docker-compose](https://rocket.chat/docs/installation/docker-containers/docker-compose/).
|
||||
|
||||
You need to create a Client-Identifier and -Secret via Admin >> OpenID / OAuth2 server >> Clients with the following grants:
|
||||
* Authorization Code
|
||||
* Refresh Token
|
||||
* Implicit
|
||||
|
||||
Then head in the Rocket.Chat Administration down to OAuth and click [Add custom oauth], give it a name eg. "EGroupware" and add the following values:
|
||||
```
|
||||
Enable: True
|
||||
URL: https://example.org/egroupware/openid/endpoint.php
|
||||
Token Path: /access_token
|
||||
Token Send Via: Payload
|
||||
Identity Token Send Via: Header
|
||||
Identity Path: /userinfo
|
||||
Authorize Path: /authorize
|
||||
Scope: openid email profile roles
|
||||
Param Name for access token: access_token
|
||||
Id: <client-id-from-egroupware>
|
||||
Secret: <client-secret-from-egroupware>
|
||||
Login Style: Redirect
|
||||
Button Text: EGroupware users click here
|
||||
Username field: id
|
||||
Name field: name
|
||||
Avatar field: picture
|
||||
Roles/Groups field name: roles
|
||||
Merge roles from SSO: True (currently role got lost when rocketchat/status app login to RC api!)
|
||||
Merge Users: True
|
||||
```
|
||||
Then click on [Save changes] to activate login and user creation through EGroupware.
|
||||
|
||||
(If Rocket.Chat runs in Docker on a Mac and EGroupware directly on the Mac, use "docker.for.mac.localhost" as hostname, as it is different from localhost!)
|
||||
|
||||
If you only want users from EGroupware and no free registration with local passwords, go to Adminstration >> Accounts and set:
|
||||
```
|
||||
Show Default Login Form: False
|
||||
```
|
||||
|
||||
### Troubleshooting
|
||||
* Enable request log under: Admin > Applications > OpenID / OAuth2 server > Request log
|
||||
> While the log does not record passwords, it contains the issued token and should not left running!
|
||||
* Free support via [EGroupware Forum](https://help.egroupware.org/) where users help other users and EGroupware GmbH supporters also help to a certain extend
|
||||
* [EGroupware GmbH offers payed support](https://www.egroupware.org/egroupware-support/) including our OpenID Connect and OAuth2 server
|
||||
|
Loading…
Reference in New Issue
Block a user