mirror of
https://github.com/wekan/wekan.git
synced 2025-04-23 13:37:09 -04:00
Login with OIDC OAuth2 Oracle on premise identity manager OIM, with setting ORACLE_OIM_ENABLED=true.
Thanks to xet7 !
This commit is contained in:
Lauri Ojansivu
parent
4eb7597aa9
commit
ec8a78537f
9 changed files with 227 additions and 107 deletions
|
|
@ -130,7 +130,8 @@ ENV BUILD_DEPS="apt-utils libarchive-tools gnupg gosu wget curl bzip2 g++ build-
|
|||
SAML_PUBLIC_CERTFILE="" \
|
||||
SAML_IDENTIFIER_FORMAT="" \
|
||||
SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE="" \
|
||||
SAML_ATTRIBUTES=""
|
||||
SAML_ATTRIBUTES="" \
|
||||
ORACLE_OIM_ENABLED=false
|
||||
|
||||
# Copy the app to the image
|
||||
COPY ${SRC_PATH} /home/wekan/app
|
||||
|
|
|
|||
|
|
@ -323,6 +323,9 @@ services:
|
|||
# ==== Debug OIDC OAuth2 etc ====
|
||||
#- DEBUG=true
|
||||
#-----------------------------------------------------------------
|
||||
# ==== OAUTH2 ORACLE on premise identity manager OIM ====
|
||||
#- ORACLE_OIM_ENABLED=true
|
||||
#-----------------------------------------------------------------
|
||||
# ==== OAUTH2 AZURE ====
|
||||
# https://github.com/wekan/wekan/wiki/Azure
|
||||
# 1) Register the application with Azure. Make sure you capture
|
||||
|
|
|
|||
|
|
@ -33,7 +33,19 @@ OAuth.registerService('oidc', 2, null, function (query) {
|
|||
serviceData.fullname = userinfo[process.env.OAUTH2_FULLNAME_MAP]; // || userinfo["displayName"];
|
||||
serviceData.accessToken = accessToken;
|
||||
serviceData.expiresAt = expiresAt;
|
||||
serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP]; // || userinfo["email"];
|
||||
|
||||
// If on Oracle OIM email is empty or null, get info from username
|
||||
if (process.env.ORACLE_OIM_ENABLED === 'true' || process.env.ORACLE_OIM_ENABLED === true) {
|
||||
if (userinfo[process.env.OAUTH2_EMAIL_MAP]) {
|
||||
serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP];
|
||||
} else {
|
||||
serviceData.email = userinfo[process.env.OAUTH2_USERNAME_MAP];
|
||||
}
|
||||
}
|
||||
|
||||
if (process.env.ORACLE_OIM_ENABLED !== 'true' && process.env.ORACLE_OIM_ENABLED !== true) {
|
||||
serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP]; // || userinfo["email"];
|
||||
}
|
||||
|
||||
if (accessToken) {
|
||||
var tokenContent = getTokenContent(accessToken);
|
||||
|
|
@ -61,47 +73,108 @@ if (Meteor.release) {
|
|||
userAgent += "/" + Meteor.release;
|
||||
}
|
||||
|
||||
var getToken = function (query) {
|
||||
var debug = process.env.DEBUG || false;
|
||||
var config = getConfiguration();
|
||||
if(config.tokenEndpoint.includes('https://')){
|
||||
var serverTokenEndpoint = config.tokenEndpoint;
|
||||
}else{
|
||||
var serverTokenEndpoint = config.serverUrl + config.tokenEndpoint;
|
||||
}
|
||||
var requestPermissions = config.requestPermissions;
|
||||
var response;
|
||||
if (process.env.ORACLE_OIM_ENABLED !== 'true' && process.env.ORACLE_OIM_ENABLED !== true) {
|
||||
var getToken = function (query) {
|
||||
var debug = process.env.DEBUG || false;
|
||||
var config = getConfiguration();
|
||||
if(config.tokenEndpoint.includes('https://')){
|
||||
var serverTokenEndpoint = config.tokenEndpoint;
|
||||
}else{
|
||||
var serverTokenEndpoint = config.serverUrl + config.tokenEndpoint;
|
||||
}
|
||||
var requestPermissions = config.requestPermissions;
|
||||
var response;
|
||||
|
||||
try {
|
||||
response = HTTP.post(
|
||||
serverTokenEndpoint,
|
||||
{
|
||||
headers: {
|
||||
Accept: 'application/json',
|
||||
"User-Agent": userAgent
|
||||
},
|
||||
params: {
|
||||
code: query.code,
|
||||
client_id: config.clientId,
|
||||
client_secret: OAuth.openSecret(config.secret),
|
||||
redirect_uri: OAuth._redirectUri('oidc', config),
|
||||
grant_type: 'authorization_code',
|
||||
state: query.state
|
||||
try {
|
||||
response = HTTP.post(
|
||||
serverTokenEndpoint,
|
||||
{
|
||||
headers: {
|
||||
Accept: 'application/json',
|
||||
"User-Agent": userAgent
|
||||
},
|
||||
params: {
|
||||
code: query.code,
|
||||
client_id: config.clientId,
|
||||
client_secret: OAuth.openSecret(config.secret),
|
||||
redirect_uri: OAuth._redirectUri('oidc', config),
|
||||
grant_type: 'authorization_code',
|
||||
state: query.state
|
||||
}
|
||||
}
|
||||
}
|
||||
);
|
||||
} catch (err) {
|
||||
throw _.extend(new Error("Failed to get token from OIDC " + serverTokenEndpoint + ": " + err.message),
|
||||
{ response: err.response });
|
||||
}
|
||||
if (response.data.error) {
|
||||
// if the http response was a json object with an error attribute
|
||||
throw new Error("Failed to complete handshake with OIDC " + serverTokenEndpoint + ": " + response.data.error);
|
||||
} else {
|
||||
if (debug) console.log('XXX: getToken response: ', response.data);
|
||||
return response.data;
|
||||
}
|
||||
};
|
||||
);
|
||||
} catch (err) {
|
||||
throw _.extend(new Error("Failed to get token from OIDC " + serverTokenEndpoint + ": " + err.message),
|
||||
{ response: err.response });
|
||||
}
|
||||
if (response.data.error) {
|
||||
// if the http response was a json object with an error attribute
|
||||
throw new Error("Failed to complete handshake with OIDC " + serverTokenEndpoint + ": " + response.data.error);
|
||||
} else {
|
||||
if (debug) console.log('XXX: getToken response: ', response.data);
|
||||
return response.data;
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
if (process.env.ORACLE_OIM_ENABLED === 'true' || process.env.ORACLE_OIM_ENABLED === true) {
|
||||
|
||||
var getToken = function (query) {
|
||||
var debug = (process.env.DEBUG === 'true' || process.env.DEBUG === true) || false;
|
||||
var config = getConfiguration();
|
||||
if(config.tokenEndpoint.includes('https://')){
|
||||
var serverTokenEndpoint = config.tokenEndpoint;
|
||||
}else{
|
||||
var serverTokenEndpoint = config.serverUrl + config.tokenEndpoint;
|
||||
}
|
||||
var requestPermissions = config.requestPermissions;
|
||||
var response;
|
||||
|
||||
// OIM needs basic Authentication token in the header - ClientID + SECRET in base64
|
||||
var dataToken=null;
|
||||
var strBasicToken=null;
|
||||
var strBasicToken64=null;
|
||||
|
||||
dataToken = process.env.OAUTH2_CLIENT_ID + ':' + process.env.OAUTH2_SECRET;
|
||||
strBasicToken = new Buffer(dataToken);
|
||||
strBasicToken64 = strBasicToken.toString('base64');
|
||||
|
||||
// eslint-disable-next-line no-console
|
||||
if (debug) console.log('Basic Token: ', strBasicToken64);
|
||||
|
||||
try {
|
||||
response = HTTP.post(
|
||||
serverTokenEndpoint,
|
||||
{
|
||||
headers: {
|
||||
Accept: 'application/json',
|
||||
"User-Agent": userAgent,
|
||||
"Authorization": "Basic " + strBasicToken64
|
||||
},
|
||||
params: {
|
||||
code: query.code,
|
||||
client_id: config.clientId,
|
||||
client_secret: OAuth.openSecret(config.secret),
|
||||
redirect_uri: OAuth._redirectUri('oidc', config),
|
||||
grant_type: 'authorization_code',
|
||||
state: query.state
|
||||
}
|
||||
}
|
||||
);
|
||||
} catch (err) {
|
||||
throw _.extend(new Error("Failed to get token from OIDC " + serverTokenEndpoint + ": " + err.message),
|
||||
{ response: err.response });
|
||||
}
|
||||
if (response.data.error) {
|
||||
// if the http response was a json object with an error attribute
|
||||
throw new Error("Failed to complete handshake with OIDC " + serverTokenEndpoint + ": " + response.data.error);
|
||||
} else {
|
||||
// eslint-disable-next-line no-console
|
||||
if (debug) console.log('XXX: getToken response: ', response.data);
|
||||
return response.data;
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
var getUserInfo = function (accessToken) {
|
||||
var debug = process.env.DEBUG || false;
|
||||
|
|
|
|||
|
|
@ -64,6 +64,28 @@ Meteor.startup(() => {
|
|||
|
||||
if (Meteor.isServer) {
|
||||
if (
|
||||
process.env.ORACLE_OIM_ENABLED === 'true' ||
|
||||
process.env.ORACLE_OIM_ENABLED === true
|
||||
) {
|
||||
ServiceConfiguration.configurations.upsert(
|
||||
// eslint-disable-line no-undef
|
||||
{ service: 'oidc' },
|
||||
{
|
||||
$set: {
|
||||
loginStyle: process.env.OAUTH2_LOGIN_STYLE,
|
||||
clientId: process.env.OAUTH2_CLIENT_ID,
|
||||
secret: process.env.OAUTH2_SECRET,
|
||||
serverUrl: process.env.OAUTH2_SERVER_URL,
|
||||
authorizationEndpoint: process.env.OAUTH2_AUTH_ENDPOINT,
|
||||
userinfoEndpoint: process.env.OAUTH2_USERINFO_ENDPOINT,
|
||||
tokenEndpoint: process.env.OAUTH2_TOKEN_ENDPOINT,
|
||||
idTokenWhitelistFields:
|
||||
process.env.OAUTH2_ID_TOKEN_WHITELIST_FIELDS || [],
|
||||
requestPermissions: 'BDFUserProfile.me',
|
||||
},
|
||||
},
|
||||
);
|
||||
} else if (
|
||||
process.env.OAUTH2_ENABLED === 'true' ||
|
||||
process.env.OAUTH2_ENABLED === true
|
||||
) {
|
||||
|
|
@ -87,73 +109,73 @@ Meteor.startup(() => {
|
|||
// OAUTH2_REQUEST_PERMISSIONS || 'openid profile email',
|
||||
},
|
||||
);
|
||||
}
|
||||
} else if (
|
||||
process.env.CAS_ENABLED === 'true' ||
|
||||
process.env.CAS_ENABLED === true
|
||||
) {
|
||||
ServiceConfiguration.configurations.upsert(
|
||||
// eslint-disable-line no-undef
|
||||
{ service: 'cas' },
|
||||
{
|
||||
$set: {
|
||||
baseUrl: process.env.CAS_BASE_URL,
|
||||
loginUrl: process.env.CAS_LOGIN_URL,
|
||||
serviceParam: 'service',
|
||||
popupWidth: 810,
|
||||
popupHeight: 610,
|
||||
popup: true,
|
||||
autoClose: true,
|
||||
validateUrl: process.env.CASE_VALIDATE_URL,
|
||||
casVersion: 3.0,
|
||||
attributes: {
|
||||
debug: process.env.DEBUG,
|
||||
} else if (
|
||||
process.env.CAS_ENABLED === 'true' ||
|
||||
process.env.CAS_ENABLED === true
|
||||
) {
|
||||
ServiceConfiguration.configurations.upsert(
|
||||
// eslint-disable-line no-undef
|
||||
{ service: 'cas' },
|
||||
{
|
||||
$set: {
|
||||
baseUrl: process.env.CAS_BASE_URL,
|
||||
loginUrl: process.env.CAS_LOGIN_URL,
|
||||
serviceParam: 'service',
|
||||
popupWidth: 810,
|
||||
popupHeight: 610,
|
||||
popup: true,
|
||||
autoClose: true,
|
||||
validateUrl: process.env.CASE_VALIDATE_URL,
|
||||
casVersion: 3.0,
|
||||
attributes: {
|
||||
debug: process.env.DEBUG,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
);
|
||||
} else if (
|
||||
process.env.SAML_ENABLED === 'true' ||
|
||||
process.env.SAML_ENABLED === true
|
||||
) {
|
||||
ServiceConfiguration.configurations.upsert(
|
||||
// eslint-disable-line no-undef
|
||||
{ service: 'saml' },
|
||||
{
|
||||
$set: {
|
||||
provider: process.env.SAML_PROVIDER,
|
||||
entryPoint: process.env.SAML_ENTRYPOINT,
|
||||
issuer: process.env.SAML_ISSUER,
|
||||
cert: process.env.SAML_CERT,
|
||||
idpSLORedirectURL: process.env.SAML_IDPSLO_REDIRECTURL,
|
||||
privateKeyFile: process.env.SAML_PRIVATE_KEYFILE,
|
||||
publicCertFile: process.env.SAML_PUBLIC_CERTFILE,
|
||||
identifierFormat: process.env.SAML_IDENTIFIER_FORMAT,
|
||||
localProfileMatchAttribute:
|
||||
process.env.SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE,
|
||||
attributesSAML: process.env.SAML_ATTRIBUTES || [
|
||||
'sn',
|
||||
'givenName',
|
||||
'mail',
|
||||
],
|
||||
);
|
||||
} else if (
|
||||
process.env.SAML_ENABLED === 'true' ||
|
||||
process.env.SAML_ENABLED === true
|
||||
) {
|
||||
ServiceConfiguration.configurations.upsert(
|
||||
// eslint-disable-line no-undef
|
||||
{ service: 'saml' },
|
||||
{
|
||||
$set: {
|
||||
provider: process.env.SAML_PROVIDER,
|
||||
entryPoint: process.env.SAML_ENTRYPOINT,
|
||||
issuer: process.env.SAML_ISSUER,
|
||||
cert: process.env.SAML_CERT,
|
||||
idpSLORedirectURL: process.env.SAML_IDPSLO_REDIRECTURL,
|
||||
privateKeyFile: process.env.SAML_PRIVATE_KEYFILE,
|
||||
publicCertFile: process.env.SAML_PUBLIC_CERTFILE,
|
||||
identifierFormat: process.env.SAML_IDENTIFIER_FORMAT,
|
||||
localProfileMatchAttribute:
|
||||
process.env.SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE,
|
||||
attributesSAML: process.env.SAML_ATTRIBUTES || [
|
||||
'sn',
|
||||
'givenName',
|
||||
'mail',
|
||||
],
|
||||
|
||||
/*
|
||||
settings = {"saml":[{
|
||||
"provider":"openam",
|
||||
"entryPoint":"https://openam.idp.io/openam/SSORedirect/metaAlias/zimt/idp",
|
||||
"issuer": "https://sp.zimt.io/", //replace with url of your app
|
||||
"cert":"MIICizCCAfQCCQCY8tKaMc0 LOTS OF FUNNY CHARS ==",
|
||||
"idpSLORedirectURL": "http://openam.idp.io/openam/IDPSloRedirect/metaAlias/zimt/idp",
|
||||
"privateKeyFile": "certs/mykey.pem", // path is relative to $METEOR-PROJECT/private
|
||||
"publicCertFile": "certs/mycert.pem", // eg $METEOR-PROJECT/private/certs/mycert.pem
|
||||
"dynamicProfile": true // set to true if we want to create a user in Meteor.users dynamically if SAML assertion is valid
|
||||
"identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", // Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
|
||||
"localProfileMatchAttribute": "telephoneNumber" // CAUTION: this will be mapped to profile.<localProfileMatchAttribute> attribute in Mongo if identifierFormat (see above) differs from urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,
|
||||
"attributesSAML": [telephoneNumber, sn, givenName, mail], // attrs from SAML attr statement, which will be used for local Meteor profile creation. Currently no real attribute mapping. If required use mapping on IdP side.
|
||||
}]}
|
||||
*/
|
||||
/*
|
||||
settings = {"saml":[{
|
||||
"provider":"openam",
|
||||
"entryPoint":"https://openam.idp.io/openam/SSORedirect/metaAlias/zimt/idp",
|
||||
"issuer": "https://sp.zimt.io/", //replace with url of your app
|
||||
"cert":"MIICizCCAfQCCQCY8tKaMc0 LOTS OF FUNNY CHARS ==",
|
||||
"idpSLORedirectURL": "http://openam.idp.io/openam/IDPSloRedirect/metaAlias/zimt/idp",
|
||||
"privateKeyFile": "certs/mykey.pem", // path is relative to $METEOR-PROJECT/private
|
||||
"publicCertFile": "certs/mycert.pem", // eg $METEOR-PROJECT/private/certs/mycert.pem
|
||||
"dynamicProfile": true // set to true if we want to create a user in Meteor.users dynamically if SAML assertion is valid
|
||||
"identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", // Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
|
||||
"localProfileMatchAttribute": "telephoneNumber" // CAUTION: this will be mapped to profile.<localProfileMatchAttribute> attribute in Mongo if identifierFormat (see above) differs from urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,
|
||||
"attributesSAML": [telephoneNumber, sn, givenName, mail], // attrs from SAML attr statement, which will be used for local Meteor profile creation. Currently no real attribute mapping. If required use mapping on IdP side.
|
||||
}]}
|
||||
*/
|
||||
},
|
||||
},
|
||||
},
|
||||
);
|
||||
);
|
||||
}
|
||||
}
|
||||
});
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# All supported keys are defined here together with descriptions and default values
|
||||
|
||||
# list of supported keys
|
||||
keys="DEBUG MONGO_URL MONGODB_BIND_UNIX_SOCKET MONGO_URL MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API RICHER_CARD_COMMENT_EDITOR CARD_OPENED_WEBHOOK_ENABLED ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW MAX_IMAGE_PIXEL IMAGE_COMPRESS_RATIO BIGEVENTS_PATTERN NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE NOTIFY_DUE_DAYS_BEFORE_AND_AFTER NOTIFY_DUE_AT_HOUR_OF_DAY EMAIL_NOTIFICATION_TIMEOUT CORS CORS_ALLOW_HEADERS CORS_EXPOSE_HEADERS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_EMAIL_MAP OAUTH2_REQUEST_PERMISSIONS OAUTH2_ADFS_ENABLED LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_AUTHENTICATION_FIELD LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD ATTACHMENTS_STORE_PATH PASSWORD_LOGIN_ENABLED CAS_ENABLED CAS_BASE_URL CAS_LOGIN_URL CAS_VALIDATE_URL SAML_ENABLED SAML_PROVIDER SAML_ENTRYPOINT SAML_ISSUER SAML_CERT SAML_IDPSLO_REDIRECTURL SAML_PRIVATE_KEYFILE SAML_PUBLIC_CERTFILE SAML_IDENTIFIER_FORMAT SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE SAML_ATTRIBUTES"
|
||||
keys="DEBUG MONGO_URL MONGODB_BIND_UNIX_SOCKET MONGO_URL MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API RICHER_CARD_COMMENT_EDITOR CARD_OPENED_WEBHOOK_ENABLED ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW MAX_IMAGE_PIXEL IMAGE_COMPRESS_RATIO BIGEVENTS_PATTERN NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE NOTIFY_DUE_DAYS_BEFORE_AND_AFTER NOTIFY_DUE_AT_HOUR_OF_DAY EMAIL_NOTIFICATION_TIMEOUT CORS CORS_ALLOW_HEADERS CORS_EXPOSE_HEADERS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_EMAIL_MAP OAUTH2_REQUEST_PERMISSIONS OAUTH2_ADFS_ENABLED LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_AUTHENTICATION_FIELD LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD ATTACHMENTS_STORE_PATH PASSWORD_LOGIN_ENABLED CAS_ENABLED CAS_BASE_URL CAS_LOGIN_URL CAS_VALIDATE_URL SAML_ENABLED SAML_PROVIDER SAML_ENTRYPOINT SAML_ISSUER SAML_CERT SAML_IDPSLO_REDIRECTURL SAML_PRIVATE_KEYFILE SAML_PUBLIC_CERTFILE SAML_IDENTIFIER_FORMAT SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE SAML_ATTRIBUTES ORACLE_OIM_ENABLED"
|
||||
|
||||
# default values
|
||||
DESCRIPTION_DEBUG="Debug OIDC OAuth2 etc. Example: sudo snap set wekan debug='true'"
|
||||
|
|
@ -168,6 +168,10 @@ DESCRIPTION_WEBHOOKS_ATTRIBUTES="What to send to Outgoing Webhook, or leave out.
|
|||
DEFAULT_WEBHOOKS_ATTRIBUTES=""
|
||||
KEY_WEBHOOKS_ATTRIBUTES="webhooks-attributes"
|
||||
|
||||
DESCRIPTION_ORACLE_OIM_ENABLED="Enable OAUTH2 ORACLE on premise identity manager OIM. Default: false"
|
||||
DEFAULT_ORACLE_OIM_ENABLED="false"
|
||||
KEY_ORACLE_OIM_ENABLED="oracle-oim-enabled"
|
||||
|
||||
DESCRIPTION_OAUTH2_ENABLED="Enable the OAuth2 connection. Default: false"
|
||||
DEFAULT_OAUTH2_ENABLED="false"
|
||||
KEY_OAUTH2_ENABLED="oauth2-enabled"
|
||||
|
|
|
|||
|
|
@ -182,6 +182,12 @@ echo -e "\t$ snap set $SNAP_NAME oauth2-enabled='true'"
|
|||
echo -e "\t-Disable the OAuth2 of Wekan:"
|
||||
echo -e "\t$ snap unset $SNAP_NAME oauth2-enabled"
|
||||
echo -e "\n"
|
||||
echo -e "Enable OAuth2 Oracle on premise identity manager OIM. Default: false"
|
||||
echo -e "To enable the OAuth2 Oracle OIM of Wekan:"
|
||||
echo -e "\t$ snap set $SNAP_NAME oracle-oim-enabled='true'"
|
||||
echo -e "\t-Disable the OAuth2 Oracle OIM of Wekan:"
|
||||
echo -e "\t$ snap unset $SNAP_NAME oracle-oim-enabled"
|
||||
echo -e "\n"
|
||||
echo -e "OAuth2 ADFS Enabled. Also requires oauth2-enabled='true'"
|
||||
echo -e "To enable the OAuth2 ADFS of Wekan:"
|
||||
echo -e "\t$ snap set $SNAP_NAME oauth2-adfs-enabled='true'"
|
||||
|
|
|
|||
|
|
@ -114,6 +114,11 @@ REM SET WEBHOOKS_ATTRIBUTES=
|
|||
|
||||
REM ------------------------------------------------------------
|
||||
|
||||
REM # OAUTH2 ORACLE on premise identity manager OIM
|
||||
REM SET ORACLE_OIM_ENABLED=true
|
||||
|
||||
REM ------------------------------------------------------------
|
||||
|
||||
REM # Enable the OAuth2 connection
|
||||
REM # OAuth2 docs: https://github.com/wekan/wekan/wiki/OAuth2
|
||||
REM # example: OAUTH2_ENABLED=true
|
||||
|
|
|
|||
|
|
@ -120,6 +120,9 @@
|
|||
# Example: export WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,commentId
|
||||
export WEBHOOKS_ATTRIBUTES=''
|
||||
#---------------------------------------------
|
||||
# OAUTH2 ORACLE on premise identity manager OIM
|
||||
#export ORACLE_OIM_ENABLED=true
|
||||
#---------------------------------------------
|
||||
# ==== OAUTH2 AZURE ====
|
||||
# https://github.com/wekan/wekan/wiki/Azure
|
||||
# 1) Register the application with Azure. Make sure you capture
|
||||
|
|
|
|||
|
|
@ -132,7 +132,7 @@ services:
|
|||
' 1>/dev/null 2>&1 &
|
||||
mongod --replSet rs1
|
||||
wekan:
|
||||
image: quay.io/wekan/wekan
|
||||
image: wekanteam/wekan
|
||||
container_name: wekan-app
|
||||
restart: always
|
||||
networks:
|
||||
|
|
@ -309,6 +309,9 @@ services:
|
|||
# example: WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,commentId
|
||||
#- WEBHOOKS_ATTRIBUTES=
|
||||
#-----------------------------------------------------------------
|
||||
# ==== OAUTH2 ORACLE on premise identity manager OIM ====
|
||||
#- ORACLE_OIM_ENABLED=true
|
||||
#-----------------------------------------------------------------
|
||||
# ==== OAUTH2 ONLY WITH OIDC AND DOORKEEPER AS INDENTITY PROVIDER
|
||||
# https://github.com/wekan/wekan/issues/1874
|
||||
# https://github.com/wekan/wekan/wiki/OAuth2
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue