mirror of
https://github.com/wekan/wekan.git
synced 2025-12-16 23:40:13 +01:00
Login with OIDC OAuth2 Oracle on premise identity manager OIM, with setting ORACLE_OIM_ENABLED=true.
Thanks to xet7 !
This commit is contained in:
Lauri Ojansivu
parent
4eb7597aa9
commit
ec8a78537f
9 changed files with 227 additions and 107 deletions
|
|
@ -130,7 +130,8 @@ ENV BUILD_DEPS="apt-utils libarchive-tools gnupg gosu wget curl bzip2 g++ build-
|
||||||
SAML_PUBLIC_CERTFILE="" \
|
SAML_PUBLIC_CERTFILE="" \
|
||||||
SAML_IDENTIFIER_FORMAT="" \
|
SAML_IDENTIFIER_FORMAT="" \
|
||||||
SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE="" \
|
SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE="" \
|
||||||
SAML_ATTRIBUTES=""
|
SAML_ATTRIBUTES="" \
|
||||||
|
ORACLE_OIM_ENABLED=false
|
||||||
|
|
||||||
# Copy the app to the image
|
# Copy the app to the image
|
||||||
COPY ${SRC_PATH} /home/wekan/app
|
COPY ${SRC_PATH} /home/wekan/app
|
||||||
|
|
|
||||||
|
|
@ -323,6 +323,9 @@ services:
|
||||||
# ==== Debug OIDC OAuth2 etc ====
|
# ==== Debug OIDC OAuth2 etc ====
|
||||||
#- DEBUG=true
|
#- DEBUG=true
|
||||||
#-----------------------------------------------------------------
|
#-----------------------------------------------------------------
|
||||||
|
# ==== OAUTH2 ORACLE on premise identity manager OIM ====
|
||||||
|
#- ORACLE_OIM_ENABLED=true
|
||||||
|
#-----------------------------------------------------------------
|
||||||
# ==== OAUTH2 AZURE ====
|
# ==== OAUTH2 AZURE ====
|
||||||
# https://github.com/wekan/wekan/wiki/Azure
|
# https://github.com/wekan/wekan/wiki/Azure
|
||||||
# 1) Register the application with Azure. Make sure you capture
|
# 1) Register the application with Azure. Make sure you capture
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,19 @@ OAuth.registerService('oidc', 2, null, function (query) {
|
||||||
serviceData.fullname = userinfo[process.env.OAUTH2_FULLNAME_MAP]; // || userinfo["displayName"];
|
serviceData.fullname = userinfo[process.env.OAUTH2_FULLNAME_MAP]; // || userinfo["displayName"];
|
||||||
serviceData.accessToken = accessToken;
|
serviceData.accessToken = accessToken;
|
||||||
serviceData.expiresAt = expiresAt;
|
serviceData.expiresAt = expiresAt;
|
||||||
serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP]; // || userinfo["email"];
|
|
||||||
|
// If on Oracle OIM email is empty or null, get info from username
|
||||||
|
if (process.env.ORACLE_OIM_ENABLED === 'true' || process.env.ORACLE_OIM_ENABLED === true) {
|
||||||
|
if (userinfo[process.env.OAUTH2_EMAIL_MAP]) {
|
||||||
|
serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP];
|
||||||
|
} else {
|
||||||
|
serviceData.email = userinfo[process.env.OAUTH2_USERNAME_MAP];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (process.env.ORACLE_OIM_ENABLED !== 'true' && process.env.ORACLE_OIM_ENABLED !== true) {
|
||||||
|
serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP]; // || userinfo["email"];
|
||||||
|
}
|
||||||
|
|
||||||
if (accessToken) {
|
if (accessToken) {
|
||||||
var tokenContent = getTokenContent(accessToken);
|
var tokenContent = getTokenContent(accessToken);
|
||||||
|
|
@ -61,47 +73,108 @@ if (Meteor.release) {
|
||||||
userAgent += "/" + Meteor.release;
|
userAgent += "/" + Meteor.release;
|
||||||
}
|
}
|
||||||
|
|
||||||
var getToken = function (query) {
|
if (process.env.ORACLE_OIM_ENABLED !== 'true' && process.env.ORACLE_OIM_ENABLED !== true) {
|
||||||
var debug = process.env.DEBUG || false;
|
var getToken = function (query) {
|
||||||
var config = getConfiguration();
|
var debug = process.env.DEBUG || false;
|
||||||
if(config.tokenEndpoint.includes('https://')){
|
var config = getConfiguration();
|
||||||
var serverTokenEndpoint = config.tokenEndpoint;
|
if(config.tokenEndpoint.includes('https://')){
|
||||||
}else{
|
var serverTokenEndpoint = config.tokenEndpoint;
|
||||||
var serverTokenEndpoint = config.serverUrl + config.tokenEndpoint;
|
}else{
|
||||||
}
|
var serverTokenEndpoint = config.serverUrl + config.tokenEndpoint;
|
||||||
var requestPermissions = config.requestPermissions;
|
}
|
||||||
var response;
|
var requestPermissions = config.requestPermissions;
|
||||||
|
var response;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
response = HTTP.post(
|
response = HTTP.post(
|
||||||
serverTokenEndpoint,
|
serverTokenEndpoint,
|
||||||
{
|
{
|
||||||
headers: {
|
headers: {
|
||||||
Accept: 'application/json',
|
Accept: 'application/json',
|
||||||
"User-Agent": userAgent
|
"User-Agent": userAgent
|
||||||
},
|
},
|
||||||
params: {
|
params: {
|
||||||
code: query.code,
|
code: query.code,
|
||||||
client_id: config.clientId,
|
client_id: config.clientId,
|
||||||
client_secret: OAuth.openSecret(config.secret),
|
client_secret: OAuth.openSecret(config.secret),
|
||||||
redirect_uri: OAuth._redirectUri('oidc', config),
|
redirect_uri: OAuth._redirectUri('oidc', config),
|
||||||
grant_type: 'authorization_code',
|
grant_type: 'authorization_code',
|
||||||
state: query.state
|
state: query.state
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
);
|
||||||
);
|
} catch (err) {
|
||||||
} catch (err) {
|
throw _.extend(new Error("Failed to get token from OIDC " + serverTokenEndpoint + ": " + err.message),
|
||||||
throw _.extend(new Error("Failed to get token from OIDC " + serverTokenEndpoint + ": " + err.message),
|
{ response: err.response });
|
||||||
{ response: err.response });
|
}
|
||||||
}
|
if (response.data.error) {
|
||||||
if (response.data.error) {
|
// if the http response was a json object with an error attribute
|
||||||
// if the http response was a json object with an error attribute
|
throw new Error("Failed to complete handshake with OIDC " + serverTokenEndpoint + ": " + response.data.error);
|
||||||
throw new Error("Failed to complete handshake with OIDC " + serverTokenEndpoint + ": " + response.data.error);
|
} else {
|
||||||
} else {
|
if (debug) console.log('XXX: getToken response: ', response.data);
|
||||||
if (debug) console.log('XXX: getToken response: ', response.data);
|
return response.data;
|
||||||
return response.data;
|
}
|
||||||
}
|
};
|
||||||
};
|
}
|
||||||
|
|
||||||
|
if (process.env.ORACLE_OIM_ENABLED === 'true' || process.env.ORACLE_OIM_ENABLED === true) {
|
||||||
|
|
||||||
|
var getToken = function (query) {
|
||||||
|
var debug = (process.env.DEBUG === 'true' || process.env.DEBUG === true) || false;
|
||||||
|
var config = getConfiguration();
|
||||||
|
if(config.tokenEndpoint.includes('https://')){
|
||||||
|
var serverTokenEndpoint = config.tokenEndpoint;
|
||||||
|
}else{
|
||||||
|
var serverTokenEndpoint = config.serverUrl + config.tokenEndpoint;
|
||||||
|
}
|
||||||
|
var requestPermissions = config.requestPermissions;
|
||||||
|
var response;
|
||||||
|
|
||||||
|
// OIM needs basic Authentication token in the header - ClientID + SECRET in base64
|
||||||
|
var dataToken=null;
|
||||||
|
var strBasicToken=null;
|
||||||
|
var strBasicToken64=null;
|
||||||
|
|
||||||
|
dataToken = process.env.OAUTH2_CLIENT_ID + ':' + process.env.OAUTH2_SECRET;
|
||||||
|
strBasicToken = new Buffer(dataToken);
|
||||||
|
strBasicToken64 = strBasicToken.toString('base64');
|
||||||
|
|
||||||
|
// eslint-disable-next-line no-console
|
||||||
|
if (debug) console.log('Basic Token: ', strBasicToken64);
|
||||||
|
|
||||||
|
try {
|
||||||
|
response = HTTP.post(
|
||||||
|
serverTokenEndpoint,
|
||||||
|
{
|
||||||
|
headers: {
|
||||||
|
Accept: 'application/json',
|
||||||
|
"User-Agent": userAgent,
|
||||||
|
"Authorization": "Basic " + strBasicToken64
|
||||||
|
},
|
||||||
|
params: {
|
||||||
|
code: query.code,
|
||||||
|
client_id: config.clientId,
|
||||||
|
client_secret: OAuth.openSecret(config.secret),
|
||||||
|
redirect_uri: OAuth._redirectUri('oidc', config),
|
||||||
|
grant_type: 'authorization_code',
|
||||||
|
state: query.state
|
||||||
|
}
|
||||||
|
}
|
||||||
|
);
|
||||||
|
} catch (err) {
|
||||||
|
throw _.extend(new Error("Failed to get token from OIDC " + serverTokenEndpoint + ": " + err.message),
|
||||||
|
{ response: err.response });
|
||||||
|
}
|
||||||
|
if (response.data.error) {
|
||||||
|
// if the http response was a json object with an error attribute
|
||||||
|
throw new Error("Failed to complete handshake with OIDC " + serverTokenEndpoint + ": " + response.data.error);
|
||||||
|
} else {
|
||||||
|
// eslint-disable-next-line no-console
|
||||||
|
if (debug) console.log('XXX: getToken response: ', response.data);
|
||||||
|
return response.data;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
var getUserInfo = function (accessToken) {
|
var getUserInfo = function (accessToken) {
|
||||||
var debug = process.env.DEBUG || false;
|
var debug = process.env.DEBUG || false;
|
||||||
|
|
|
||||||
|
|
@ -64,6 +64,28 @@ Meteor.startup(() => {
|
||||||
|
|
||||||
if (Meteor.isServer) {
|
if (Meteor.isServer) {
|
||||||
if (
|
if (
|
||||||
|
process.env.ORACLE_OIM_ENABLED === 'true' ||
|
||||||
|
process.env.ORACLE_OIM_ENABLED === true
|
||||||
|
) {
|
||||||
|
ServiceConfiguration.configurations.upsert(
|
||||||
|
// eslint-disable-line no-undef
|
||||||
|
{ service: 'oidc' },
|
||||||
|
{
|
||||||
|
$set: {
|
||||||
|
loginStyle: process.env.OAUTH2_LOGIN_STYLE,
|
||||||
|
clientId: process.env.OAUTH2_CLIENT_ID,
|
||||||
|
secret: process.env.OAUTH2_SECRET,
|
||||||
|
serverUrl: process.env.OAUTH2_SERVER_URL,
|
||||||
|
authorizationEndpoint: process.env.OAUTH2_AUTH_ENDPOINT,
|
||||||
|
userinfoEndpoint: process.env.OAUTH2_USERINFO_ENDPOINT,
|
||||||
|
tokenEndpoint: process.env.OAUTH2_TOKEN_ENDPOINT,
|
||||||
|
idTokenWhitelistFields:
|
||||||
|
process.env.OAUTH2_ID_TOKEN_WHITELIST_FIELDS || [],
|
||||||
|
requestPermissions: 'BDFUserProfile.me',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
);
|
||||||
|
} else if (
|
||||||
process.env.OAUTH2_ENABLED === 'true' ||
|
process.env.OAUTH2_ENABLED === 'true' ||
|
||||||
process.env.OAUTH2_ENABLED === true
|
process.env.OAUTH2_ENABLED === true
|
||||||
) {
|
) {
|
||||||
|
|
@ -87,73 +109,73 @@ Meteor.startup(() => {
|
||||||
// OAUTH2_REQUEST_PERMISSIONS || 'openid profile email',
|
// OAUTH2_REQUEST_PERMISSIONS || 'openid profile email',
|
||||||
},
|
},
|
||||||
);
|
);
|
||||||
}
|
} else if (
|
||||||
} else if (
|
process.env.CAS_ENABLED === 'true' ||
|
||||||
process.env.CAS_ENABLED === 'true' ||
|
process.env.CAS_ENABLED === true
|
||||||
process.env.CAS_ENABLED === true
|
) {
|
||||||
) {
|
ServiceConfiguration.configurations.upsert(
|
||||||
ServiceConfiguration.configurations.upsert(
|
// eslint-disable-line no-undef
|
||||||
// eslint-disable-line no-undef
|
{ service: 'cas' },
|
||||||
{ service: 'cas' },
|
{
|
||||||
{
|
$set: {
|
||||||
$set: {
|
baseUrl: process.env.CAS_BASE_URL,
|
||||||
baseUrl: process.env.CAS_BASE_URL,
|
loginUrl: process.env.CAS_LOGIN_URL,
|
||||||
loginUrl: process.env.CAS_LOGIN_URL,
|
serviceParam: 'service',
|
||||||
serviceParam: 'service',
|
popupWidth: 810,
|
||||||
popupWidth: 810,
|
popupHeight: 610,
|
||||||
popupHeight: 610,
|
popup: true,
|
||||||
popup: true,
|
autoClose: true,
|
||||||
autoClose: true,
|
validateUrl: process.env.CASE_VALIDATE_URL,
|
||||||
validateUrl: process.env.CASE_VALIDATE_URL,
|
casVersion: 3.0,
|
||||||
casVersion: 3.0,
|
attributes: {
|
||||||
attributes: {
|
debug: process.env.DEBUG,
|
||||||
debug: process.env.DEBUG,
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
);
|
||||||
);
|
} else if (
|
||||||
} else if (
|
process.env.SAML_ENABLED === 'true' ||
|
||||||
process.env.SAML_ENABLED === 'true' ||
|
process.env.SAML_ENABLED === true
|
||||||
process.env.SAML_ENABLED === true
|
) {
|
||||||
) {
|
ServiceConfiguration.configurations.upsert(
|
||||||
ServiceConfiguration.configurations.upsert(
|
// eslint-disable-line no-undef
|
||||||
// eslint-disable-line no-undef
|
{ service: 'saml' },
|
||||||
{ service: 'saml' },
|
{
|
||||||
{
|
$set: {
|
||||||
$set: {
|
provider: process.env.SAML_PROVIDER,
|
||||||
provider: process.env.SAML_PROVIDER,
|
entryPoint: process.env.SAML_ENTRYPOINT,
|
||||||
entryPoint: process.env.SAML_ENTRYPOINT,
|
issuer: process.env.SAML_ISSUER,
|
||||||
issuer: process.env.SAML_ISSUER,
|
cert: process.env.SAML_CERT,
|
||||||
cert: process.env.SAML_CERT,
|
idpSLORedirectURL: process.env.SAML_IDPSLO_REDIRECTURL,
|
||||||
idpSLORedirectURL: process.env.SAML_IDPSLO_REDIRECTURL,
|
privateKeyFile: process.env.SAML_PRIVATE_KEYFILE,
|
||||||
privateKeyFile: process.env.SAML_PRIVATE_KEYFILE,
|
publicCertFile: process.env.SAML_PUBLIC_CERTFILE,
|
||||||
publicCertFile: process.env.SAML_PUBLIC_CERTFILE,
|
identifierFormat: process.env.SAML_IDENTIFIER_FORMAT,
|
||||||
identifierFormat: process.env.SAML_IDENTIFIER_FORMAT,
|
localProfileMatchAttribute:
|
||||||
localProfileMatchAttribute:
|
process.env.SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE,
|
||||||
process.env.SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE,
|
attributesSAML: process.env.SAML_ATTRIBUTES || [
|
||||||
attributesSAML: process.env.SAML_ATTRIBUTES || [
|
'sn',
|
||||||
'sn',
|
'givenName',
|
||||||
'givenName',
|
'mail',
|
||||||
'mail',
|
],
|
||||||
],
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
settings = {"saml":[{
|
settings = {"saml":[{
|
||||||
"provider":"openam",
|
"provider":"openam",
|
||||||
"entryPoint":"https://openam.idp.io/openam/SSORedirect/metaAlias/zimt/idp",
|
"entryPoint":"https://openam.idp.io/openam/SSORedirect/metaAlias/zimt/idp",
|
||||||
"issuer": "https://sp.zimt.io/", //replace with url of your app
|
"issuer": "https://sp.zimt.io/", //replace with url of your app
|
||||||
"cert":"MIICizCCAfQCCQCY8tKaMc0 LOTS OF FUNNY CHARS ==",
|
"cert":"MIICizCCAfQCCQCY8tKaMc0 LOTS OF FUNNY CHARS ==",
|
||||||
"idpSLORedirectURL": "http://openam.idp.io/openam/IDPSloRedirect/metaAlias/zimt/idp",
|
"idpSLORedirectURL": "http://openam.idp.io/openam/IDPSloRedirect/metaAlias/zimt/idp",
|
||||||
"privateKeyFile": "certs/mykey.pem", // path is relative to $METEOR-PROJECT/private
|
"privateKeyFile": "certs/mykey.pem", // path is relative to $METEOR-PROJECT/private
|
||||||
"publicCertFile": "certs/mycert.pem", // eg $METEOR-PROJECT/private/certs/mycert.pem
|
"publicCertFile": "certs/mycert.pem", // eg $METEOR-PROJECT/private/certs/mycert.pem
|
||||||
"dynamicProfile": true // set to true if we want to create a user in Meteor.users dynamically if SAML assertion is valid
|
"dynamicProfile": true // set to true if we want to create a user in Meteor.users dynamically if SAML assertion is valid
|
||||||
"identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", // Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
|
"identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", // Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
|
||||||
"localProfileMatchAttribute": "telephoneNumber" // CAUTION: this will be mapped to profile.<localProfileMatchAttribute> attribute in Mongo if identifierFormat (see above) differs from urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,
|
"localProfileMatchAttribute": "telephoneNumber" // CAUTION: this will be mapped to profile.<localProfileMatchAttribute> attribute in Mongo if identifierFormat (see above) differs from urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,
|
||||||
"attributesSAML": [telephoneNumber, sn, givenName, mail], // attrs from SAML attr statement, which will be used for local Meteor profile creation. Currently no real attribute mapping. If required use mapping on IdP side.
|
"attributesSAML": [telephoneNumber, sn, givenName, mail], // attrs from SAML attr statement, which will be used for local Meteor profile creation. Currently no real attribute mapping. If required use mapping on IdP side.
|
||||||
}]}
|
}]}
|
||||||
*/
|
*/
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
);
|
||||||
);
|
}
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@
|
||||||
# All supported keys are defined here together with descriptions and default values
|
# All supported keys are defined here together with descriptions and default values
|
||||||
|
|
||||||
# list of supported keys
|
# list of supported keys
|
||||||
keys="DEBUG MONGO_URL MONGODB_BIND_UNIX_SOCKET MONGO_URL MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API RICHER_CARD_COMMENT_EDITOR CARD_OPENED_WEBHOOK_ENABLED ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW MAX_IMAGE_PIXEL IMAGE_COMPRESS_RATIO BIGEVENTS_PATTERN NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE NOTIFY_DUE_DAYS_BEFORE_AND_AFTER NOTIFY_DUE_AT_HOUR_OF_DAY EMAIL_NOTIFICATION_TIMEOUT CORS CORS_ALLOW_HEADERS CORS_EXPOSE_HEADERS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_EMAIL_MAP OAUTH2_REQUEST_PERMISSIONS OAUTH2_ADFS_ENABLED LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_AUTHENTICATION_FIELD LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD ATTACHMENTS_STORE_PATH PASSWORD_LOGIN_ENABLED CAS_ENABLED CAS_BASE_URL CAS_LOGIN_URL CAS_VALIDATE_URL SAML_ENABLED SAML_PROVIDER SAML_ENTRYPOINT SAML_ISSUER SAML_CERT SAML_IDPSLO_REDIRECTURL SAML_PRIVATE_KEYFILE SAML_PUBLIC_CERTFILE SAML_IDENTIFIER_FORMAT SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE SAML_ATTRIBUTES"
|
keys="DEBUG MONGO_URL MONGODB_BIND_UNIX_SOCKET MONGO_URL MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API RICHER_CARD_COMMENT_EDITOR CARD_OPENED_WEBHOOK_ENABLED ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW MAX_IMAGE_PIXEL IMAGE_COMPRESS_RATIO BIGEVENTS_PATTERN NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE NOTIFY_DUE_DAYS_BEFORE_AND_AFTER NOTIFY_DUE_AT_HOUR_OF_DAY EMAIL_NOTIFICATION_TIMEOUT CORS CORS_ALLOW_HEADERS CORS_EXPOSE_HEADERS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_EMAIL_MAP OAUTH2_REQUEST_PERMISSIONS OAUTH2_ADFS_ENABLED LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_AUTHENTICATION_FIELD LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD ATTACHMENTS_STORE_PATH PASSWORD_LOGIN_ENABLED CAS_ENABLED CAS_BASE_URL CAS_LOGIN_URL CAS_VALIDATE_URL SAML_ENABLED SAML_PROVIDER SAML_ENTRYPOINT SAML_ISSUER SAML_CERT SAML_IDPSLO_REDIRECTURL SAML_PRIVATE_KEYFILE SAML_PUBLIC_CERTFILE SAML_IDENTIFIER_FORMAT SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE SAML_ATTRIBUTES ORACLE_OIM_ENABLED"
|
||||||
|
|
||||||
# default values
|
# default values
|
||||||
DESCRIPTION_DEBUG="Debug OIDC OAuth2 etc. Example: sudo snap set wekan debug='true'"
|
DESCRIPTION_DEBUG="Debug OIDC OAuth2 etc. Example: sudo snap set wekan debug='true'"
|
||||||
|
|
@ -168,6 +168,10 @@ DESCRIPTION_WEBHOOKS_ATTRIBUTES="What to send to Outgoing Webhook, or leave out.
|
||||||
DEFAULT_WEBHOOKS_ATTRIBUTES=""
|
DEFAULT_WEBHOOKS_ATTRIBUTES=""
|
||||||
KEY_WEBHOOKS_ATTRIBUTES="webhooks-attributes"
|
KEY_WEBHOOKS_ATTRIBUTES="webhooks-attributes"
|
||||||
|
|
||||||
|
DESCRIPTION_ORACLE_OIM_ENABLED="Enable OAUTH2 ORACLE on premise identity manager OIM. Default: false"
|
||||||
|
DEFAULT_ORACLE_OIM_ENABLED="false"
|
||||||
|
KEY_ORACLE_OIM_ENABLED="oracle-oim-enabled"
|
||||||
|
|
||||||
DESCRIPTION_OAUTH2_ENABLED="Enable the OAuth2 connection. Default: false"
|
DESCRIPTION_OAUTH2_ENABLED="Enable the OAuth2 connection. Default: false"
|
||||||
DEFAULT_OAUTH2_ENABLED="false"
|
DEFAULT_OAUTH2_ENABLED="false"
|
||||||
KEY_OAUTH2_ENABLED="oauth2-enabled"
|
KEY_OAUTH2_ENABLED="oauth2-enabled"
|
||||||
|
|
|
||||||
|
|
@ -182,6 +182,12 @@ echo -e "\t$ snap set $SNAP_NAME oauth2-enabled='true'"
|
||||||
echo -e "\t-Disable the OAuth2 of Wekan:"
|
echo -e "\t-Disable the OAuth2 of Wekan:"
|
||||||
echo -e "\t$ snap unset $SNAP_NAME oauth2-enabled"
|
echo -e "\t$ snap unset $SNAP_NAME oauth2-enabled"
|
||||||
echo -e "\n"
|
echo -e "\n"
|
||||||
|
echo -e "Enable OAuth2 Oracle on premise identity manager OIM. Default: false"
|
||||||
|
echo -e "To enable the OAuth2 Oracle OIM of Wekan:"
|
||||||
|
echo -e "\t$ snap set $SNAP_NAME oracle-oim-enabled='true'"
|
||||||
|
echo -e "\t-Disable the OAuth2 Oracle OIM of Wekan:"
|
||||||
|
echo -e "\t$ snap unset $SNAP_NAME oracle-oim-enabled"
|
||||||
|
echo -e "\n"
|
||||||
echo -e "OAuth2 ADFS Enabled. Also requires oauth2-enabled='true'"
|
echo -e "OAuth2 ADFS Enabled. Also requires oauth2-enabled='true'"
|
||||||
echo -e "To enable the OAuth2 ADFS of Wekan:"
|
echo -e "To enable the OAuth2 ADFS of Wekan:"
|
||||||
echo -e "\t$ snap set $SNAP_NAME oauth2-adfs-enabled='true'"
|
echo -e "\t$ snap set $SNAP_NAME oauth2-adfs-enabled='true'"
|
||||||
|
|
|
||||||
|
|
@ -114,6 +114,11 @@ REM SET WEBHOOKS_ATTRIBUTES=
|
||||||
|
|
||||||
REM ------------------------------------------------------------
|
REM ------------------------------------------------------------
|
||||||
|
|
||||||
|
REM # OAUTH2 ORACLE on premise identity manager OIM
|
||||||
|
REM SET ORACLE_OIM_ENABLED=true
|
||||||
|
|
||||||
|
REM ------------------------------------------------------------
|
||||||
|
|
||||||
REM # Enable the OAuth2 connection
|
REM # Enable the OAuth2 connection
|
||||||
REM # OAuth2 docs: https://github.com/wekan/wekan/wiki/OAuth2
|
REM # OAuth2 docs: https://github.com/wekan/wekan/wiki/OAuth2
|
||||||
REM # example: OAUTH2_ENABLED=true
|
REM # example: OAUTH2_ENABLED=true
|
||||||
|
|
|
||||||
|
|
@ -120,6 +120,9 @@
|
||||||
# Example: export WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,commentId
|
# Example: export WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,commentId
|
||||||
export WEBHOOKS_ATTRIBUTES=''
|
export WEBHOOKS_ATTRIBUTES=''
|
||||||
#---------------------------------------------
|
#---------------------------------------------
|
||||||
|
# OAUTH2 ORACLE on premise identity manager OIM
|
||||||
|
#export ORACLE_OIM_ENABLED=true
|
||||||
|
#---------------------------------------------
|
||||||
# ==== OAUTH2 AZURE ====
|
# ==== OAUTH2 AZURE ====
|
||||||
# https://github.com/wekan/wekan/wiki/Azure
|
# https://github.com/wekan/wekan/wiki/Azure
|
||||||
# 1) Register the application with Azure. Make sure you capture
|
# 1) Register the application with Azure. Make sure you capture
|
||||||
|
|
|
||||||
|
|
@ -132,7 +132,7 @@ services:
|
||||||
' 1>/dev/null 2>&1 &
|
' 1>/dev/null 2>&1 &
|
||||||
mongod --replSet rs1
|
mongod --replSet rs1
|
||||||
wekan:
|
wekan:
|
||||||
image: quay.io/wekan/wekan
|
image: wekanteam/wekan
|
||||||
container_name: wekan-app
|
container_name: wekan-app
|
||||||
restart: always
|
restart: always
|
||||||
networks:
|
networks:
|
||||||
|
|
@ -309,6 +309,9 @@ services:
|
||||||
# example: WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,commentId
|
# example: WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,commentId
|
||||||
#- WEBHOOKS_ATTRIBUTES=
|
#- WEBHOOKS_ATTRIBUTES=
|
||||||
#-----------------------------------------------------------------
|
#-----------------------------------------------------------------
|
||||||
|
# ==== OAUTH2 ORACLE on premise identity manager OIM ====
|
||||||
|
#- ORACLE_OIM_ENABLED=true
|
||||||
|
#-----------------------------------------------------------------
|
||||||
# ==== OAUTH2 ONLY WITH OIDC AND DOORKEEPER AS INDENTITY PROVIDER
|
# ==== OAUTH2 ONLY WITH OIDC AND DOORKEEPER AS INDENTITY PROVIDER
|
||||||
# https://github.com/wekan/wekan/issues/1874
|
# https://github.com/wekan/wekan/issues/1874
|
||||||
# https://github.com/wekan/wekan/wiki/OAuth2
|
# https://github.com/wekan/wekan/wiki/OAuth2
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue