Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-01-26 03:06:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Reorganized Docs. In Progress.

Browse source
This commit is contained in:
Lauri Ojansivu 2024-06-27 11:08:43 +03:00
parent 1961e22cbd
commit ce89ff4833
202 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

22
docs/Login/ADFS.md Normal file
View file

@ -0,0 +1,22 @@
## ADFS 4.0 using OAuth 2 and OpenID
[Related issue](https://github.com/wekan/wekan/issues/3184)
There is these settings.
## Snap
```
sudo snap set oauth2-enabled='true'
sudo snap set oauth2-adfs-enabled='true'
```
Unset:
```
sudo snap unset oauth2-enabled
sudo snap unset oauth2-adfs-enabled
```
## Docker and .sh/.bat
```
OAUTH2_ENABLED=true
OAUTH2_ADFS_ENABLED=true
```
To disable, uncomment or remove that line.

14
docs/Login/Accounts-Lockout.md Normal file
View file

@ -0,0 +1,14 @@
## Brute force protection
For settings, see:
- Snap: `wekan.help | grep lockout`
- Docker: Search lockout from docker-compose.yml at https://github.com/wekan/wekan
[Removing lockout from users](https://github.com/wekan/wekan/issues/3306)
For UCS, it's UCS VM and inside it Docker container. You just ssh your ucs VM like this, with same username password you used when installin UCS and administering UCS apps, su to root:
```
ssh Administrator@192.168.0.100
su
```
And then use those Docker commands https://github.com/wekan/wekan/issues/3306#issuecomment-712743002

47
docs/Login/B2C.md Normal file
View file

@ -0,0 +1,47 @@
## Azure AD B2C using OAuth2
- Original issue: https://github.com/wekan/wekan/issues/5242
- B2C feature added: https://github.com/wekan/wekan/commit/93be112a9454c894c1ce3146ed377e6a6aeca64a
- Similar like [ADFS](ADFS), but `email` is first of array `userinfo[emails]`
## Snap
```
sudo snap set wekan oauth2-enabled='true'
sudo snap set wekan oauth2-b2c-enabled='true'
sudo snap set wekan oauth2-username-map='sub'
sudo snap set wekan oauth2-request-permissions='openid email profile'
sudo snap set wekan oauth2-client-id='xxxxxxxx'
sudo snap set wekan oauth2-secret='xxxxxxx'
sudo snap set wekan oauth2-server-url='https://B2C_TENANT_NAME.b2clogin.com/B2C_TENANT_NAME.onmicrosoft.com/B2C_POLICY_NAME'
sudo snap set wekan oauth2-auth-endpoint='/oauth2/v2.0/authorize'
sudo snap set wekan oauth2-token-endpoint='/oauth2/v2.0/token'
sudo snap set wekan oauth2-username-map='sub'
sudo snap set wekan oauth2-email-map='email'
sudo snap set wekan oauth2-fullname-map='name'
sudo snap set wekan oauth2-id-map='sub'
```
## Docker
https://github.com/wekan/wekan/blob/main/docker-compose.yml
```
- OAUTH2_ENABLED=true
- OAUTH2_B2C_ENABLED=true
- OAUTH2_USERNAME_MAP=sub
- OAUTH2_REQUEST_PERMISSIONS=openid email profile
- OAUTH2_CLIENT_ID=xxxxxxxx
- OAUTH2_SECRET=xxxxxxx
- OAUTH2_SERVER_URL=https://B2C_TENANT_NAME.b2clogin.com/B2C_TENANT_NAME.onmicrosoft.com/B2C_POLICY_NAME
- OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
- OAUTH2_TOKEN_ENDPOINT=/oauth2/v2.0/token
- OAUTH2_USERNAME_MAP=sub
- OAUTH2_EMAIL_MAP=email
- OAUTH2_FULLNAME_MAP=name
- OAUTH2_ID_MAP=sub
```
## Others
Similar like above Docker.

13
docs/Login/CAS.md Normal file
View file

@ -0,0 +1,13 @@
[CAS Issue](https://github.com/wekan/wekan/issues/3204)
[CAS settings commit](https://github.com/wekan/wekan/commit/214c86cc22f4c721a79ec0a4a4f3bbd90d673f93)
Please send pull requests if CAS login does not work.
Wekan clientside code is at `wekan/client/components/main/layouts.*`
Wekan serverside code is at:
- `wekan/server/authentication.js` at bottom
- `wekan/packages/*cas*/*`
Originally before moving to `wekan/packages/*cas*/*` CAS code was at https://github.com/wekan/meteor-accounts-cas

32
docs/Login/Disable-Password-Login.md Normal file
View file

@ -0,0 +1,32 @@
## Description
At login screen, do not show password login. Only show login button (OAuth2, LDAP, etc).
## Snap
```
sudo snap set wekan password-login-enabled='false'
```
https://github.com/wekan/wekan/blob/main/snap-src/bin/wekan-help#L614
## Docker
```
- PASSWORD_LOGIN_ENABLED=false
```
https://github.com/wekan/wekan/blob/main/docker-compose.yml#L693
## Windows On-Premise
https://github.com/wekan/wekan/wiki/Offline
```
SET PASSWORD_LOGIN_ENABLED=false
```
https://github.com/wekan/wekan/blob/main/start-wekan.bat#L467
## Linux On-Premise
https://github.com/wekan/wekan/wiki/Raspberry-Pi
```
export PASSWORD_LOGIN_ENABLED=false
```
https://github.com/wekan/wekan/blob/main/start-wekan.sh#L529

209
docs/Login/Forgot-Password.md Normal file
View file

@ -0,0 +1,209 @@
## Snap
**a) Wekan Snap**
```
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/snap/wekan/current/lib/x86_64-linux-gnu
export PATH="$PATH:/snap/wekan/current/bin"
mongo --port 27019
```
If you have disabled new user registration at Admin Panel, you can enable it, and create new user your https://wekan.example.com/sign-up :
```
db.settings.update({},{$set: {"disableRegistration":false}})
```
Find what users there are:
```
db.users.find()
```
Set some user as admin:
```
db.users.update({username:'admin-username-here'},{$set:{isAdmin:true}})
```
Check are there any failed logins with wrong password, that brute force login prevention has denied login:
```
db.AccountsLockout.Connections.find()
```
If there are, delete all those login preventions:
```
db.AccountsLockout.Connections.deleteMany({})
```
Then exit:
```
exit
```
Then login to Wekan and change any users passwords at `Admin Panel / People / People`.
**b) Wekan Gantt GPL Snap**
```
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/snap/wekan-gantt-gpl/current/lib/x86_64-linux-gnu
export PATH="$PATH:/snap/wekan-gantt-gpl/current/bin"
mongo --port 27019
```
If you have disabled new user registration at Admin Panel, you can enable it, and create new user your https://wekan.example.com/sign-up :
```
db.settings.update({},{$set: {"disableRegistration":false}})
```
Find what users there are:
```
db.users.find()
```
Set some user as admin:
```
db.users.update({username:'admin-username-here'},{$set:{isAdmin:true}})
```
Check are there any failed logins with wrong password, that brute force login prevention has denied login:
```
db.AccountsLockout.Connections.find()
```
If there are, delete all those login preventions:
```
db.AccountsLockout.Connections.deleteMany({})
```
Then exit:
```
exit
```
Then login to Wekan and change any users passwords at `Admin Panel / People / People`.
**c) Use DBGate or Nosqlbooster** to edit wekan database users table to have admin true:
- https://github.com/wekan/wekan/wiki/Backup#dbgate-open-source-mongodb-gui
- https://github.com/wekan/wekan/wiki/Forgot-Password
## Set user as BoardAdmin on all boards user is member of
[Source](https://github.com/wekan/wekan/issues/2413#issuecomment-1239249563)
```
db.boards.updateMany(
{ members: { $elemMatch: { userId: “USER-ID-HERE”, isAdmin: false } } },
{
$set: { “members.$.isAdmin”: true },
}
);
```
## Docker
1. Change to inside of wekan database Docker container:
```
docker exec -it wekan-db bash
```
2. Start MongoDB Shell
```
/bin/mongosh
```
3. List databases
```
show dbs
```
4. Change to wekan database
```
use wekan
```
5. Show collections/tables
```
show collections
```
6. Count users
```
db.users.count()
```
7. If you have disabled new user registration at Admin Panel, you can enable it, and create new user your https://wekan.example.com/sign-up :
```
db.settings.update({},{$set: {"disableRegistration":false}})
```
8. Find what users there are:
```
db.users.find()
```
9. Set some user as admin:
```
db.users.update({username:'admin-username-here'},{$set:{isAdmin:true}})
```
10. Check are there any failed logins with wrong password, that brute force login prevention has denied login:
```
db.AccountsLockout.Connections.find()
```
11. If there are, delete all those login preventions:
```
db.AccountsLockout.Connections.deleteMany({})
```
12. Then exit:
```
exit
```
13. Then login to Wekan and change any users passwords at `Admin Panel / People / People`.
More info:
- https://github.com/wekan/wekan/wiki/Backup
- https://github.com/wekan/wekan/wiki/Docker
***
## OLD INFO BELOW:
1) Download [Robo 3T](https://robomongo.org) on your Linux or Mac computer. Or, using ssh shell to server, [login to MongoDB database using mongo cli](Backup#mongodb-shell-on-wekan-snap)
2) Make SSH tunnel to your server, from your local port 9000 (or any other) to server MongoDB port 27019:
```
ssh -L 9000:localhost:27019 user@example.com
```
3) Open Robo 3T, create new connection: Name, address: localhost : 9000
a) If you don't have self-registration disabled, register new account at /sign-up, and make yourself admin in MongoDB database:
1) Use database that has wekan data, for example:
```
use wekan
```
2) Add Admin rights to some Wekan username:
```
db.users.update({username:'admin-username-here'},{$set:{isAdmin:true}})
```
b) If someone else remembers their password, and his/her login works, copy their bcrypt hashed password to your password using Robo 3T.
c) Install Wekan elsewhere, create new user, copy bcrypt hashed password to your password.
d) Backup, New install, Create User, Copy Password, Restore:
1. [Backup Snap](https://github.com/wekan/wekan-snap/wiki/Backup-and-restore)
2. stop wekan `sudo snap stop wekan.wekan`
3a. Empty database by dropping wekan database in Mongo 3T
3b. Empty database in [mongo cli](mongo cli](Backup#mongodb-shell-on-wekan-snap):
```
mongo --port 27019
```
Look what databases there are:
```
show dbs
```
Probably database is called wekan, so use it:
```
use wekan
```
Delete database:
```
db.dropDatabase()
```
4. Start wekan:
```
sudo snap stop wekan.wekan
```
5. Register at /sign-up
6. Copy bcrypt hashed password to text editor
7. [Restore your backup](https://github.com/wekan/wekan-snap/wiki/Backup-and-restore)
8. Change to database your new bcrypt password.
## Don't have Admin Rights to board
1. In Robo 3T, find where your ID that your username has:
```
db.getCollection('users').find({username: "YOUR-USERNAME-HERE"})
```
2. Find board where you are not admin, using user ID you found above:
```
db.getCollection('boards').find({members: {$elemMatch: { userId: "YOUR-USER-ID-HERE", isAdmin: false} } })
```
And set yourself as admin.

1
docs/Login/Google-Cloud.md Normal file
View file

@ -0,0 +1 @@
Needs info how to enable websockets. Wekan requires working websockets support.

29
docs/Login/Google-login.md Normal file
View file

@ -0,0 +1,29 @@
### NOTE: BEFORE 2020-09-07 THERE WAS WRONG SETTING BELOW, IT CAUSED LOGIN WITH WRONG USER, YOU SHOULD FIX YOUR SETTINGS
### CORRECT SETTINGS ARE:
### snap set wekan oauth2-email-map='email'
### snap set wekan oauth2-username-map='email'
[Thanks to @mlazzje for this info below](https://github.com/wekan/wekan/issues/2527#issuecomment-654155289)
To create Google OAuth 2 credentials, you can follow this tutorial: https://developers.google.com/identity/sign-in/web/sign-in
Then replace `CLIENT_ID` and `CLIENT_SECRET` below.
The redirect URL is your Wekan root-url+_oauth/oidc like this: https://boards.example.com/_oauth/oidc
If you have existing password account, and would like to switch to Google auth account, you need to rename that username and email address, so you can autoregister with your Google auth email address. Then share your boards from password account to Google auth account and set that to Google auth user as BoardAdmin.
In your wekan config, you have to set the following information in snap:
```
sudo snap set wekan oauth2-enabled='true'
sudo snap set wekan oauth2-client-id='CLIENT_ID'
sudo snap set wekan oauth2-secret='CLIENT_SECRET'
sudo snap set wekan oauth2-auth-endpoint='https://accounts.google.com/o/oauth2/v2/auth'
sudo snap set wekan oauth2-token-endpoint='https://oauth2.googleapis.com/token'
sudo snap set wekan oauth2-userinfo-endpoint='https://openidconnect.googleapis.com/v1/userinfo'
sudo snap set wekan oauth2-id-map='sub'
sudo snap set wekan oauth2-email-map='email'
sudo snap set wekan oauth2-username-map='email'
sudo snap set wekan oauth2-fullname-map='name'
sudo snap set wekan oauth2-request-permissions='openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email'
```

68
docs/Login/Keycloak.md Normal file
View file

@ -0,0 +1,68 @@
[2022 KEYCLOAK CERTIFICATE FIX HERE](https://github.com/wekan/wekan/issues/4525)
[Somebody got Keycloak working](https://github.com/wekan/wekan/issues/3277#issuecomment-696333794)
NOTE: Is that preffered_username setting wrong? Correct settings should be for OIDC login:
```
sudo snap set wekan oauth2-username-map='email'
sudo snap set wekan oauth2-email-map='email'
```
[Outstanding Bug](https://github.com/wekan/wekan/issues/1874#issuecomment-460802250): Create the first user (admin) with the regular process. Then the remaining users can use the Register with OIDC process.
Keycloak settings: [realm-export.zip](https://wekan.github.io/keycloak/realm-export.zip)
[Keycloak at Docker Hub](https://hub.docker.com/r/jboss/keycloak)
Environment Variables that need to be set in your Wekan environment:
> When creating a Client in keycloak, ensure the access type is confidential under the settings tab. After clicking save, you will have a Credentials tab. You can retrieve the secret from that location.
## Snap
Copy below commands to `auth.sh` textfile, make it executeable `chmod +x auth.sh` and run it with `./auth.sh`.
```
sudo snap set wekan oauth2-enabled='true'
sudo snap set wekan oauth2-client-id='<Keycloak create Client ID>'
sudo snap set wekan oauth2-secret='<Keycloak Client secret>'
sudo snap set wekan oauth2-server-url='<Keycloak server name>/auth'
sudo snap set wekan oauth2-auth-endpoint='/realms/<keycloak realm>/protocol/openid-connect/auth'
sudo snap set wekan oauth2-userinfo-endpoint='/realms/<keycloak realm>/protocol/openid-connect/userinfo'
sudo snap set wekan oauth2-token-endpoint='/realms/<keycloak realm>/protocol/openid-connect/token'
sudo snap set wekan oauth2-id-map='preferred_username'
sudo snap set wekan oauth2-username-map='preferred_username'
sudo snap set wekan oauth2-fullname-map='given_name'
sudo snap set wekan oauth2-email-map='email'
```
### Debugging, if Snap OIDC login does not work
```
sudo snap set wekan debug='true'
```
Click Oidc button. Then:
```
sudo snap logs wekan.wekan
sudo systemctl status snap.wekan.wekan
```
## Docker
[docker-compose.yml](https://github.com/wekan/wekan/blob/main/docker-compose.yml)
```
- DEBUG=true
- OAUTH2_ENABLED=true
- OAUTH2_CLIENT_ID=<Keycloak create Client ID>
- OAUTH2_SERVER_URL=<Keycloak server name>/auth
- OAUTH2_AUTH_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/auth
- OAUTH2_USERINFO_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/userinfo
- OAUTH2_TOKEN_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/token
- OAUTH2_SECRET=<keycloak client secret>
- OAUTH2_ID_MAP=preferred_username
- OAUTH2_USERNAME_MAP=preferred_username
- OAUTH2_FULLNAME_MAP=given_name
- OAUTH2_EMAIL_MAP=email
```
### Debugging, if Docker OIDC login does not work
```
docker logs wekan-app
```

89
docs/Login/LDAP-AD-Simple-Auth.md Normal file
View file

@ -0,0 +1,89 @@
- [**OTHER LDAP Settings**](LDAP-AD-Simple-Auth) and [**RELATED Search Filter Settings**](https://github.com/wekan/wekan/issues/3908#issuecomment-887545168):
```
- LDAP_USER_SEARCH_FILTER=(objectClass=user)
- LDAP_EMAIL_FIELD=mail
```
- [Original PR](https://github.com/wekan/wekan/pull/3909). Thanks to indika-dev.
- [Added settings for all remainin Wekan Standalone (non-Sandstorm) platforms](https://github.com/wekan/wekan/commit/fe40f35d6d9b6293f3bdbf5bc0f3e8e708c59518) and Docs to this wiki page. Thanks to xet7.
- When enabled, LDAP_BASEDN is not needed. Example: `true`
- Also change `mydomain.com` to your domain.
- If you use LDAP Sync, also change those settings.
## Docker
Uncomment settings lines this wasy at [docker-compose.yml](https://github.com/wekan/wekan/blob/main/docker-compose.yml) to enable:
```
#-----------------------------------------------------------------
# ==== LDAP AD Simple Auth ====
#
# Set to true, if you want to connect with Active Directory by Simple Authentication.
# When using AD Simple Auth, LDAP_BASEDN is not needed.
#
# Example:
#- LDAP_AD_SIMPLE_AUTH=true
#
# === LDAP User Authentication ===
#
# a) Option to login to the LDAP server with the user's own username and password, instead of
# an administrator key. Default: false (use administrator key).
#
# b) When using AD Simple Auth, set to true, when login user is used for binding,
# and LDAP_BASEDN is not needed.
#
# Example:
#- LDAP_USER_AUTHENTICATION=true
#
# Which field is used to find the user for the user authentication. Default: uid.
#- LDAP_USER_AUTHENTICATION_FIELD=uid
#
# === LDAP Default Domain ===
#
# a) In case AD SimpleAuth is configured, the default domain is appended to the given
# loginname for creating the correct username for the bind request to AD.
#
# b) The default domain of the ldap it is used to create email if the field is not map
# correctly with the LDAP_SYNC_USER_DATA_FIELDMAP
#
# Example :
#- LDAP_DEFAULT_DOMAIN=mydomain.com
#
#-----------------------------------------------------------------
```
## Snap
Wekan, enable:
```
sudo snap set wekan ldap-ad-simple-auth='true'
sudo snap set wekan ldap-user-authentication='true'
sudo snap set wekan ldap-default-domain='mydomain.com'
```
Wekan, disable:
```
sudo snap unset wekan ldap-ad-simple-auth
sudo snap unset wekan ldap-user-authentication
sudo snap unset wekan ldap-default-domain
```
[Wekan Gantt GPL](https://github.com/wekan/wekan/issues/2870#issuecomment-721364824), enable:
```
sudo snap set wekan-gantt-gpl ldap-ad-simple-auth='true'
sudo snap set wekan-gantt-gpl ldap-user-authentication='true'
sudo snap set wekan-gantt-gpl ldap-default-domain='mydomain.com'
```
Wekan Gantt GPL, disable:
```
sudo snap unset wekan-gantt-gpl ldap-ad-simple-auth
sudo snap unset wekan-gantt-gpl ldap-user-authentication
sudo snap unset wekan-gantt-gpl ldap-default-domain
```

443
docs/Login/LDAP.md Normal file
View file

@ -0,0 +1,443 @@
## LDAP info
- [LDAP sync script, that also correctly removes users](https://github.com/wekan/wekan/blob/main/ldap-sync/ldap-sync.py)
- [LDAP AD Simple Auth](LDAP-AD-Simple-Auth) 2021-07-24 and related [Search Filter Settings](https://github.com/wekan/wekan/issues/3908#issuecomment-887545168):
```
- LDAP_USER_SEARCH_FILTER=(objectClass=user)
- LDAP_EMAIL_FIELD=mail
```
- [MS AD with Windows 2012 server](https://github.com/wekan/wekan/issues/3292#issuecomment-703246384)
- [Additional info about LDAP docs here](https://github.com/wekan/wekan-ldap/issues/77)
- [LDAP issues](https://github.com/wekan/wekan-ldap/issues)
- [Univention LDAP related issues](https://github.com/wekan/univention/issues)
- [Teams/Organizations feature related LDAP plans](https://github.com/wekan/wekan/issues/802). Needs info from LDAP experts to describe how LDAP works.
- [Wekan LDAP code](https://github.com/wekan/wekan/tree/main/packages/wekan-ldap)
***
## Snap
LDAP is available on Snap Stable channel. Settings can be seen with command `wekan.help` and from repo https://github.com/wekan/wekan-ldap . More settings at https://github.com/wekan/wekan-snap/wiki/Supported-settings-keys
You see all settings with:
```
wekan.help | less
```
For root-url, see [Settings](Settings)
For Caddy/Wekan/RocketChat Snap settings, see [Snap install page](https://github.com/wekan/wekan-snap/wiki/Install), [OAuth2 page](OAuth2#snap) and [Caddy page](Caddy-Webserver-Config). Instead of Caddy you can also use [Nginx](Nginx-Webserver-Config) or [Apache](Apache).
## LDAP Filter settings
For better working LDAP filter setting than those below, settings info here:
https://github.com/wekan/univention/issues/5
### Active Directory LDAP part
[Source](https://github.com/wekan/wekan/issues/2822#issuecomment-568314135)
```
sudo snap set wekan ldap-enable='true'
sudo snap set wekan default-authentication-method='ldap'
sudo snap set wekan ldap-port='389'
sudo snap set wekan ldap-host='192.168.1.100'
sudo snap set wekan ldap-basedn='OU=Domain Users,DC=sub,DC=domain,DC=tld'
sudo snap set wekan ldap-login-fallback='false'
sudo snap set wekan ldap-reconnect='true'
sudo snap set wekan ldap-timeout='10000'
sudo snap set wekan ldap-idle-timeout='10000'
sudo snap set wekan ldap-connect-timeout='10000'
sudo snap set wekan ldap-authentication='true'
sudo snap set wekan ldap-authentication-userdn='CN=LDAP-User,OU=Service Accounts,DC=sub,DC=domain,DC=tld'
sudo snap set wekan ldap-authentication-password='<password>'
sudo snap set wekan ldap-log-enabled='true'
sudo snap set wekan ldap-background-sync='true'
sudo snap set wekan ldap-background-sync-interval='every 1 minute'
sudo snap set wekan ldap-background-sync-keep-existant-users-updated='true'
sudo snap set wekan ldap-background-sync-import-new-users='true'
sudo snap set wekan ldap-encryption='false'
sudo snap set wekan ldap-user-search-field='sAMAccountName'
sudo snap set wekan ldap-username-field='sAMAccountName'
sudo snap set wekan ldap-fullname-field='cn'
```
### FreeIPA v4.6.6
[Source](https://github.com/wekan/wekan/issues/3357)
```bash
snap set wekan ldap-enable='true'
snap set wekan ldap-host='ldap.example.com'
# Use 'tls' and port 389 for STARTTLS, which is more secure than standard LDAPS.
snap set wekan ldap-port='389'
snap set wekan ldap-encryption='tls'
snap set wekan ldap-timeout='10000'
snap set wekan ldap-idle-timeout='10000'
snap set wekan ldap-connect-timeout='10000'
snap set wekan ldap-authentication='true'
snap set wekan ldap-authentication-userdn='uid=ldapuser,cn=users,cn=accounts,dc=example, dc=com'
snap set wekan ldap-authentication-password='password'
# This must be set to "false" for self-signed certificates to work - enable it
# for better security if you are using a certificate verified by a commercial
# Certificate Authority (like DigiCert, Let's Encrypt, etc.)
snap set wekan ldap-reject-unauthorized='false'
# This must be the plaintext certificate data, which you can get by running the
# follwing command:
# cat ca.example.com.pem | tr -d '\n'
# This removes the hidden newline characters, and allows you to copy it
# straight from your terminal and past it into the snap set command.
#
# Pointing it to a file doesn't work - I tried.
snap set wekan ldap-ca-cert='-----BEGIN CERTIFICATE-----[blahblahblah]-----END CERTIFICATE-----'
snap set wekan ldap-log-enabled='true'
snap set wekan ldap-basedn='dc=example,dc=com'
snap set wekan ldap-background-sync='true'
snap set wekan ldap-background-sync-keep-existant-users-updated='true'
snap set wekan ldap-background-sync-import-new-users='true'
snap set wekan ldap-background-sync-interval='Every 1 minute'
snap set wekan ldap-merge-existing-users='true'
snap set wekan ldap-user-search-field='uid'
snap set wekan ldap-user-search-filter='(&(objectclass=person))'
snap set wekan ldap-user-search-scope='sub'
snap set wekan ldap-username-field='uid'
snap set wekan ldap-fullname-field='displayName'
snap set wekan ldap-email-field='mail'
snap set wekan ldap-sync-user-data='true'
snap set wekan ldap-sync-user-data-fieldmap='{"displayName":"name", "mail":"email", "initials":"initials"}'
```
### OpenLDAP
[Source](https://github.com/wekan/wekan/issues/2822#issuecomment-564451384)
```
sudo snap set wekan default-authentication-method='ldap'
sudo snap set wekan ldap-authentication='true'
sudo snap set wekan ldap-authentication-password='********'
sudo snap set wekan ldap-authentication-userdn='cn=admin,dc=*******,dc=lan'
sudo snap set wekan ldap-background-sync='true'
sudo snap set wekan ldap-background-sync-import-new-users='true'
sudo snap set wekan ldap-background-sync-interval='Every 1 minute'
sudo snap set wekan ldap-basedn='dc=*****,dc=lan'
sudo snap set wekan ldap-email-field='mail'
sudo snap set wekan ldap-enable='true'
sudo snap set wekan ldap-fullname-field='cn'
sudo snap set wekan ldap-group-filter-enable='false'
sudo snap set wekan ldap-group-filter-id-attribute='cn'
sudo snap set wekan ldap-group-filter-objectclass='groupOfUniqueNames'
sudo snap set wekan ldap-host='192.168.100.7'
sudo snap set wekan ldap-log-enabled='false'
sudo snap set wekan ldap-login-fallback='true'
sudo snap set wekan ldap-merge-existing-users='true'
sudo snap set wekan ldap-port='389'
sudo snap set wekan ldap-sync-admin-groups='administrator'
sudo snap set wekan ldap-user-search-field='uid'
sudo snap set wekan ldap-user-search-filter='(&(objectclass=inetOrgPerson))'
sudo snap set wekan ldap-user-search-scope='sub'
sudo snap set wekan ldap-username-field='uid'
```
## Docker
LDAP login works now by using this docker-compose.yml file:
https://raw.githubusercontent.com/wekan/wekan/edge/docker-compose.yml
adding ROOT_URL, LDAP settings etc to that file.
Using this docker-compose:
https://docs.docker.com/compose/install/
With this command:
```
docker-compose up -d --no-build
```
## Bugs and Feature Requests
[LDAP Bugs and Feature Requests](https://github.com/wekan/wekan-ldap/issues)
## Example LDAP settings for Docker
Note: Some newer settings could be missing from example below. Someone could copy newest missing settings from docker-compose.yml above to example below. Some examples are also at closed and open issues at https://github.com/wekan/wekan-ldap/issues
```
version: '2'
services:
wekandb:
# All Wekan data is stored in MongoDB. For backup and restore, see:
# https://github.com/wekan/wekan/wiki/Export-Docker-Mongo-Data
image: mongo:4.0.3
container_name: wekan-db
restart: always
command: mongod --smallfiles --oplogSize 128
networks:
- wekan-tier
expose:
- 27017
volumes:
- wekan-db:/data/db
- wekan-db-dump:/dump
wekan:
# Wekan container only has Node.js and related code,
# there is no data stored here.
#
# Docker Hub, usually broken:
#image: wekanteam/wekan:latest
#
# Quay, usually works, updates faster:
image: quay.io/wekan/wekan:meteor-1.8
container_name: wekan-app
restart: always
networks:
- wekan-tier
#---------------------------------------------------------------
# For running Wekan in different port like 3000, use: 3000:80
ports:
- 3000:3000
environment:
#---------------------------------------------------------------
# == ROOT_URL SETTING ==
# Change ROOT_URL to your real Wekan URL, for example:
# http://example.com
# http://example.com/wekan
# http://192.168.1.100
#---------------------------------------------------------------
- ROOT_URL=
#---------------------------------------------------------------
# == PORT SETTING ==
# Not needed on Docker, but if you had installed from source,
# you could also have setup Wekan Node.js port at localhost
# with setting: PORT=3001
# and have Nginx proxy to port 3001, see Wekan wiki.
#---------------------------------------------------------------
- PORT=3000
#---------------------------------------------------------------
# == MONGO URL AND OPLOG SETTINGS ==
# https://github.com/wekan/wekan-mongodb/issues/2#issuecomment-378343587
# We've fixed our CPU usage problem today with an environment
# change around Wekan. I wasn't aware during implementation
# that if you're using more than 1 instance of Wekan
# (or any MeteorJS based tool) you're supposed to set
# MONGO_OPLOG_URL as an environment variable.
# Without setting it, Meteor will perform a pull-and-diff
# update of it's dataset. With it, Meteor will update from
# the OPLOG. See here
# https://blog.meteor.com/tuning-meteor-mongo-livedata-for-scalability-13fe9deb8908
# After setting
# MONGO_OPLOG_URL=mongodb://<username>:<password>@<mongoDbURL>/local?authSource=admin&replicaSet=rsWekan
# the CPU usage for all Wekan instances dropped to an average
# of less than 10% with only occasional spikes to high usage
# (I guess when someone is doing a lot of work)
#---------------------------------------------------------------
- MONGO_URL=mongodb://wekandb:27017/wekan
#---------------------------------------------------------------
# - MONGO_OPLOG_URL=mongodb://<username>:<password>@<mongoDbURL>/local?authSource=admin&replicaSet=rsWekan
#---------------------------------------------------------------
# == EMAIL SETTINGS ==
# Email settings are required in both MAIL_URL and Admin Panel,
# see https://github.com/wekan/wekan/wiki/Troubleshooting-Mail
# For SSL in email, change smtp:// to smtps://
# NOTE: Special characters need to be url-encoded in MAIL_URL.
#---------------------------------------------------------------
- MAIL_URL='smtp://<mail_url>:25/?ignoreTLS=true&tls={rejectUnauthorized:false}'
- MAIL_FROM='Wekan Notifications <noreply.wekan@mydomain.com>'
#---------------------------------------------------------------
# == WEKAN API ==
# Wekan Export Board works when WITH_API='true'.
# If you disable Wekan API, Export Board does not work.
- WITH_API=true
#---------------------------------------------------------------
## Optional: Integration with Matomo https://matomo.org that is installed to your server
## The address of the server where Matomo is hosted:
# - MATOMO_ADDRESS=https://example.com/matomo
## The value of the site ID given in Matomo server for Wekan
# - MATOMO_SITE_ID=123456789
## The option do not track which enables users to not be tracked by matomo"
# - MATOMO_DO_NOT_TRACK=false
## The option that allows matomo to retrieve the username:
# - MATOMO_WITH_USERNAME=true
#---------------------------------------------------------------
# Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside.
# Setting this to false is not recommended, it also disables all other browser policy protections
# and allows all iframing etc. See wekan/server/policy.js
- BROWSER_POLICY_ENABLED=true
# When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside.
- TRUSTED_URL=''
#---------------------------------------------------------------
# What to send to Outgoing Webhook, or leave out. Example, that includes all that are default: cardId,listId,oldListId,boardId,comment,user,card,commentId .
# example: WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,commentId
- WEBHOOKS_ATTRIBUTES=''
#---------------------------------------------------------------
# LDAP_ENABLE : Enable or not the connection by the LDAP
# example : LDAP_ENABLE=true
- LDAP_ENABLE=true
# LDAP_PORT : The port of the LDAP server
# example : LDAP_PORT=389
- LDAP_PORT=389
# LDAP_HOST : The host server for the LDAP server
# example : LDAP_HOST=localhost
- LDAP_HOST=<ldap_host_fqdn>
# LDAP_BASEDN : The base DN for the LDAP Tree
# example : LDAP_BASEDN=ou=user,dc=example,dc=org
- LDAP_BASEDN=ou=prod,dc=mydomain,dc=com
# LDAP_LOGIN_FALLBACK : Fallback on the default authentication method
# example : LDAP_LOGIN_FALLBACK=true
- LDAP_LOGIN_FALLBACK=false
# LDAP_RECONNECT : Reconnect to the server if the connection is lost
# example : LDAP_RECONNECT=false
- LDAP_RECONNECT=true
# LDAP_TIMEOUT : Overall timeout, in milliseconds
# example : LDAP_TIMEOUT=12345
- LDAP_TIMEOUT=10000
# LDAP_IDLE_TIMEOUT : Specifies the timeout for idle LDAP connections in milliseconds
# example : LDAP_IDLE_TIMEOUT=12345
- LDAP_IDLE_TIMEOUT=10000
# LDAP_CONNECT_TIMEOUT : Connection timeout, in milliseconds
# example : LDAP_CONNECT_TIMEOUT=12345
- LDAP_CONNECT_TIMEOUT=10000
# LDAP_AUTHENTIFICATION : If the LDAP needs a user account to search
# example : LDAP_AUTHENTIFICATION=true
- LDAP_AUTHENTIFICATION=true
# LDAP_AUTHENTIFICATION_USERDN : The search user DN
# example : LDAP_AUTHENTIFICATION_USERDN=cn=admin,dc=example,dc=org
- LDAP_AUTHENTIFICATION_USERDN=cn=wekan_adm,ou=serviceaccounts,ou=admin,ou=prod,dc=mydomain,dc=com
# LDAP_AUTHENTIFICATION_PASSWORD : The password for the search user
# example : AUTHENTIFICATION_PASSWORD=admin
- LDAP_AUTHENTIFICATION_PASSWORD=pwd
# LDAP_LOG_ENABLED : Enable logs for the module
# example : LDAP_LOG_ENABLED=true
- LDAP_LOG_ENABLED=true
# LDAP_BACKGROUND_SYNC : If the sync of the users should be done in the background
# example : LDAP_BACKGROUND_SYNC=true
- LDAP_BACKGROUND_SYNC=false
# LDAP_BACKGROUND_SYNC_INTERVAL : At which interval does the background task sync
# example : LDAP_BACKGROUND_SYNC_INTERVAL='every 15 minutes'
# for more info: http://bunkat.github.io/later/parsers.html#text
- LDAP_BACKGROUND_SYNC_INTERVAL='every 1 hour'
# LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED :
# example : LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=true
- LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false
# LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS :
# example : LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=true
- LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false
# LDAP_ENCRYPTION : If using LDAPS
# example : LDAP_ENCRYPTION=true
- LDAP_ENCRYPTION=false
# LDAP_CA_CERT : The certification for the LDAPS server
# example : LDAP_CA_CERT=-----BEGIN CERTIFICATE-----MIIE+zCCA+OgAwIBAgIkAhwR/6TVLmdRY6hHxvUFWc0+Enmu/Hu6cj+G2FIdAgIC...-----END CERTIFICATE-----
#- LDAP_CA_CERT=''
# LDAP_REJECT_UNAUTHORIZED : Reject Unauthorized Certificate
# example : LDAP_REJECT_UNAUTHORIZED=true
- LDAP_REJECT_UNAUTHORIZED=false
# LDAP_USER_SEARCH_FILTER : Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed
# example : LDAP_USER_SEARCH_FILTER=
- LDAP_USER_SEARCH_FILTER=
# LDAP_USER_SEARCH_SCOPE : Base (search only in the provided DN), one (search only in the provided DN and one level deep), or subtree (search the whole subtree)
# example : LDAP_USER_SEARCH_SCOPE=one
- LDAP_USER_SEARCH_SCOPE=
# LDAP_USER_SEARCH_FIELD : Which field is used to find the user
# example : LDAP_USER_SEARCH_FIELD=uid
- LDAP_USER_SEARCH_FIELD=sAMAccountName
# LDAP_SEARCH_PAGE_SIZE : Used for pagination (0=unlimited)
# example : LDAP_SEARCH_PAGE_SIZE=12345
- LDAP_SEARCH_PAGE_SIZE=0
# LDAP_SEARCH_SIZE_LIMIT : The limit number of entries (0=unlimited)
# example : LDAP_SEARCH_SIZE_LIMIT=12345
- LDAP_SEARCH_SIZE_LIMIT=0
# LDAP_GROUP_FILTER_ENABLE : Enable group filtering
# example : LDAP_GROUP_FILTER_ENABLE=true
- LDAP_GROUP_FILTER_ENABLE=false
# LDAP_GROUP_FILTER_OBJECTCLASS : The object class for filtering
# example : LDAP_GROUP_FILTER_OBJECTCLASS=group
- LDAP_GROUP_FILTER_OBJECTCLASS=
# LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE :
# example :
- LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=
# LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE :
# example :
- LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE=
# LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT :
# example :
- LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=
# LDAP_GROUP_FILTER_GROUP_NAME :
# example :
- LDAP_GROUP_FILTER_GROUP_NAME=
# LDAP_UNIQUE_IDENTIFIER_FIELD : This field is sometimes class GUID (Globally Unique Identifier)
# example : LDAP_UNIQUE_IDENTIFIER_FIELD=guid
- LDAP_UNIQUE_IDENTIFIER_FIELD=
# LDAP_UTF8_NAMES_SLUGIFY : Convert the username to utf8
# example : LDAP_UTF8_NAMES_SLUGIFY=false
- LDAP_UTF8_NAMES_SLUGIFY=true
# LDAP_USERNAME_FIELD : Which field contains the ldap username
# example : LDAP_USERNAME_FIELD=username
- LDAP_USERNAME_FIELD=sAMAccountName
# LDAP_MERGE_EXISTING_USERS :
# example : LDAP_MERGE_EXISTING_USERS=true
- LDAP_MERGE_EXISTING_USERS=false
# LDAP_SYNC_USER_DATA :
# example : LDAP_SYNC_USER_DATA=true
- LDAP_SYNC_USER_DATA=false
# LDAP_SYNC_USER_DATA_FIELDMAP :
# example : LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"}
# LDAP_SYNC_GROUP_ROLES :
# example :
- LDAP_SYNC_GROUP_ROLES=''
# LDAP_DEFAULT_DOMAIN : The default domain of the ldap it is used to create email if the field is not map correctly with the LDAP_SYNC_USER_DATA_FIELDMAP
# example :
- LDAP_DEFAULT_DOMAIN=mydomain.com
#---------------------------------------------------------------
depends_on:
- wekandb
- wekanproxy
wekanproxy:
image: nginx:1.12
container_name: wekan-proxy
restart: always
networks:
- wekan-tier
ports:
- 443:443
- 80:80
volumes:
- ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
- ./nginx/ssl/ssl.conf:/etc/nginx/conf.d/ssl/ssl.conf:ro
- ./nginx/ssl/testvm-ehu.crt:/etc/nginx/conf.d/ssl/certs/mycert.crt:ro
- ./nginx/ssl/testvm-ehu.key:/etc/nginx/conf.d/ssl/certs/mykey.key:ro
- ./nginx/ssl/pphrase:/etc/nginx/conf.d/ssl/pphrase:ro
#------------------------------------------------------------------
# When using Wekan both at office LAN and remote VPN:
# 1) Have above Wekan docker container config with LAN IP address
# 2) Copy all of above Wekan config below, change name to different
# like wekan2 or wekanvpn, and change ROOT_URL to server VPN IP
# address.
# 3) This way both Wekan containers can use same MongoDB database
# and see the same Wekan boards.
# 4) You could also add 3rd Wekan container for 3rd network etc.
#------------------------------------------------------------------
# wekan2:
# ....COPY CONFIG FROM ABOVE TO HERE...
# environment:
# - ROOT_URL='http://10.10.10.10'
# ...COPY CONFIG FROM ABOVE TO HERE...
volumes:
wekan-db:
driver: local
wekan-db-dump:
driver: local
networks:
wekan-tier:
driver: bridge
```

70
docs/Login/Let's-Encrypt-and-Google-Auth.md Normal file
View file

@ -0,0 +1,70 @@
Tested on Ubuntu 16.04 based distro.
Wekan installed with https://github.com/wekan/wekan/wiki/Export-Docker-Mongo-Data
## A) Let's Encrypt support, without Google Auth:
1) https://caddyserver.com config Caddyfile:
```bash
my.domain.com {
proxy / localhost:8080
}
```
2) Depending with what user you use to run Caddy, adding privileges to that user:
```bash
sudo setcap cap_net_bind_service=+ep ./caddy
```
## B) Caddy Let's Encrypt => Google Auth only allowed email addresses => Wekan
1) https://caddyserver.com config Caddyfile:
```bash
my.domain.com {
proxy / localhost:7000
}
```
2) Depending with what user you use to run Caddy, adding privileges to that user:
```bash
sudo setcap cap_net_bind_service=+ep ./caddy
```
3) Adding Google Auth, so only those email addresses can login:
https://www.npmjs.com/package/proxybouncer
4) Create nologin user for proxybouncer:
```bash
useradd -M proxybouncer
usermod -L proxyboucer
```
5) /etc/systemd/system/proxybouncer.service:
```bash
[Unit]
Description=Proxybouncer
[Service]
ExecStart=/usr/local/bin/proxybouncer
Restart=always
RestartSec=5 # Restart service after 10 seconds if node service crashes
StandardOutput=syslog # Output to syslog
StandardError=syslog # Output to syslog
SyslogIdentifier=proxybouncer
User=proxybouncer
Group=proxybouncer
Environment=PORT=7000 MY_URL=https://my.domain.com PROXY_TARGET=http://localhost:8080 GOOGLE_CLIENT_ID=... GOOGLE_CLIENT_SECRET=... ALLOWED_EMAILS=.*@domain.com$ COOKIE_SECRET=...
[Install]
WantedBy=multi-user.target
```
6) Enable proxybouncer service:
```bash
sudo systemctl enable proxybouncer
sudo systemclt start proxybouncer
```
Question: Does this setup imply that everyone will be logged in to Wekan as 'proxybouncer'? Is there a way to pass username from Google via headers, etc.?
Answer: First login to Proxybouncer can limit login domain of G Suite. Second login is using Wekan username and password. There is no integrated login yet for standalone Wekan like there is for https://sandstorm.io

3
docs/Login/Nextcloud.md Normal file
View file

@ -0,0 +1,3 @@
https://github.com/wekan/wekan/pull/3248/files
https://github.com/wekan/wekan/pull/2897/files

3
docs/Login/Oracle-Identity-Cloud.md Normal file
View file

@ -0,0 +1,3 @@
Article series at Medium
1. [Setting up Wekan with Docker, OAuth2 and Oracle Identity Cloud Service](https://medium.com/@arno.schots/setting-up-wekan-with-docker-oauth2-and-oracle-identity-cloud-service-57d4461c5bbe)

27
docs/Login/Oracle-OIM.md Normal file
View file

@ -0,0 +1,27 @@
## Login with OIDC OAuth2 Oracle OIM, on premise identity manager
[Added with this commit](https://github.com/wekan/wekan/commit/ec8a78537f1dc40e967de36a02ea09cf7398318a), and after [added change that OAUTH2_REQUEST_PERMISSION can be set freely with environment variable](https://github.com/wekan/wekan/commit/1b429b3f99c32840ebb0ff9a29015aa8c28ec644) for what is required.
Here is a summary of code and changes by anonymous Wekan contributors and xet7:
- If the OAuth2 token doesn't contain the email address, Wekan raises an exception. The userinfo and servicedata were changed to avoid that.
- In the getToken function, OIM expects a POST request that contains OAUTH2_CLIENT_ID and OAUTH2_SECRET in its header. We fixed that.
- We also had to edit the app.js in order to put a custom "scope" value. But we think the target should be to be able to set this as an environment variable.
- There is a problem in the code when email is null or empty. I know it might not be null but we have some situation where it is. xet7 fixed it in above commit so that if email is missing, it takes that value from username. When logging into Wekan with OIDC, both username and email should be mapped to email.
- It was tested that with these changes, this works well.
### About settings
Other OIDC settings are similar like in this wiki OAuth2, Google, Azure etc settings. Both username and email should be mapped to email.
### Snap
```
sudo snap set wekan oracle-oim-enabled='true'
```
Unset Snap:
```
sudo snap unset wekan oracle-oim-enabled
```
### Docker
```
- ORACLE_OIM_ENABLED=true
```

8
docs/Login/Password-Hashing.md Normal file
View file

@ -0,0 +1,8 @@
While [discussing various alternatives in hashing passwords](https://github.com/meteor/meteor/discussions/11812#discussioncomment-1930533):
From @xet7 at 2022-01-08:
Hi,
about Argon2. Today when I was in progress of translating Gitea from English to Finnish, I noticed this Gitea translation string, related to Argon2:
> Set the password hashing algorithm. Algorithms have differing requirements and strength. `argon2` whilst having good characteristics uses a lot of memory and may be inappropriate for small systems.

17
docs/Login/SAML.md Normal file
View file

@ -0,0 +1,17 @@
Related SAML code, not in WeKan yet: https://forums.meteor.com/t/what-are-you-working-on/59187
[SAML Issue](https://github.com/wekan/wekan/issues/708)
[SAML settings commit](https://github.com/wekan/wekan/commit/214c86cc22f4c721a79ec0a4a4f3bbd90d673f93)
Currently has code from https://github.com/steffow/meteor-accounts-saml/ copied to `wekan/packages/meteor-accounts-saml`
Does not yet have [fixes from RocketChat SAML](https://github.com/RocketChat/Rocket.Chat/tree/develop/app/meteor-accounts-saml)
Please add pull requests if it does not work.
Wekan clientside code is at `wekan/client/components/main/layouts.*`
Wekan serverside code is at:
- `wekan/server/authentication.js` at bottom
- `wekan/packages/meteor-accounts-saml/*`

45
docs/Login/Zitadel.md Normal file
View file

@ -0,0 +1,45 @@
## Zitadel login using OAuth2
- Original issue: https://github.com/wekan/wekan/issues/5250
## Snap
```
sudo snap set wekan oauth2-enabled='true'
sudo snap set wekan oauth2-b2c-enabled='true'
sudo snap set wekan oauth2-username-map='sub'
sudo snap set wekan oauth2-client-id='xxxxxxxx'
sudo snap set wekan oauth2-secret='xxxxxxx'
sudo snap set wekan oauth2-server-url='https://auth.yourserver.com'
sudo snap set wekan oauth2-auth-endpoint='/oauth/v2/authorize'
sudo snap set wekan oauth2-userinfo-endpoint='/oidc/v1/userinfo'
sudo snap set wekan oauth2-token-endpoint='/oauth/v2/token'
sudo snap set wekan oauth2-id-map='sub'
sudo snap set wekan oauth2-username-map='email'
sudo snap set wekan oauth2-email-map='email'
sudo snap set wekan oauth2-fullname-map='given_name'
sudo snap set wekan oauth2-request-permissions='openid email profile'
```
## Docker
https://github.com/wekan/wekan/blob/main/docker-compose.yml
```
- OAUTH2_ENABLED=true
- OAUTH2_CLIENT_ID=xxxxxxxx
- OAUTH2_SECRET=xxxxxxxx
- OAUTH2_SERVER_URL=https://auth.yourserver.com
- OAUTH2_AUTH_ENDPOINT=/oauth/v2/authorize
- OAUTH2_USERINFO_ENDPOINT=/oidc/v1/userinfo
- OAUTH2_TOKEN_ENDPOINT=/oauth/v2/token
- OAUTH2_ID_MAP=sub
- OAUTH2_USERNAME_MAP=email
- OAUTH2_EMAIL_MAP=email
- OAUTH2_FULLNAME_MAP=given_name
- OAUTH2_REQUEST_PERMISSIONS=openid profile email
```
## Others
Similar like above Docker.

6
docs/Login/autologin.md Normal file
View file

@ -0,0 +1,6 @@
# Autologin with OIDC/OAUTH2
https://github.com/wekan/wekan/pull/4588
https://github.com/wekan/wekan/commit/284f4401369aadcec72e67fa935dfc3a9fead721