diff options
-rw-r--r-- | Dockerfile | 2 | ||||
-rw-r--r-- | docker-compose.yml | 4 | ||||
-rwxr-xr-x | releases/virtualbox/start-wekan.sh | 4 | ||||
-rw-r--r-- | server/authentication.js | 4 | ||||
-rwxr-xr-x | snap-src/bin/config | 10 | ||||
-rwxr-xr-x | snap-src/bin/wekan-help | 12 | ||||
-rwxr-xr-x | start-wekan.bat | 19 | ||||
-rwxr-xr-x | start-wekan.sh | 4 |
8 files changed, 56 insertions, 3 deletions
@@ -40,6 +40,8 @@ ENV BUILD_DEPS="apt-utils bsdtar gnupg gosu wget curl bzip2 build-essential pyth OAUTH2_ID_MAP="" \ OAUTH2_USERNAME_MAP="" \ OAUTH2_FULLNAME_MAP="" \ + OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[] \ + OAUTH2_REQUEST_PERMISSIONS=['openid','profiles','email'] \ OAUTH2_EMAIL_MAP="" \ LDAP_ENABLE=false \ LDAP_PORT=389 \ diff --git a/docker-compose.yml b/docker-compose.yml index a9886593..aaeb47b0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -324,6 +324,10 @@ services: #- OAUTH2_USERINFO_ENDPOINT=/oauth/userinfo # OAuth2 Token Endpoint. #- OAUTH2_TOKEN_ENDPOINT=/oauth/token + # OAUTH2 ID Token Whitelist Fields. + #- OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[] + # OAUTH2 Request Permissions. + #- OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email'] # OAuth2 ID Mapping #- OAUTH2_ID_MAP= # OAuth2 Username Mapping diff --git a/releases/virtualbox/start-wekan.sh b/releases/virtualbox/start-wekan.sh index 0a44946a..cb48db37 100755 --- a/releases/virtualbox/start-wekan.sh +++ b/releases/virtualbox/start-wekan.sh @@ -81,6 +81,10 @@ #export OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize #export OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo #export OAUTH2_TOKEN_ENDPOINT=/oauth2/v2.0/token + # OAUTH2 ID Token Whitelist Fields. + #export OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[] + # OAUTH2 Request Permissions. + #export OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email'] # The claim name you want to map to the unique ID field: #export OAUTH2_ID_MAP=email # The claim name you want to map to the username field: diff --git a/server/authentication.js b/server/authentication.js index 5ca45b68..328b1cb3 100644 --- a/server/authentication.js +++ b/server/authentication.js @@ -76,8 +76,8 @@ Meteor.startup(() => { authorizationEndpoint: process.env.OAUTH2_AUTH_ENDPOINT, userinfoEndpoint: process.env.OAUTH2_USERINFO_ENDPOINT, tokenEndpoint: process.env.OAUTH2_TOKEN_ENDPOINT, - idTokenWhitelistFields: [], - requestPermissions: ['openid'], + idTokenWhitelistFields: process.env.OAUTH2_ID_TOKEN_WHITELIST_FIELDS || [], + requestPermissions: process.env.OAUTH2_REQUEST_PERMISSIONS || ['openid','profile','email'], }, } ); diff --git a/snap-src/bin/config b/snap-src/bin/config index 1d766257..b950c9e5 100755 --- a/snap-src/bin/config +++ b/snap-src/bin/config @@ -3,7 +3,7 @@ # All supported keys are defined here together with descriptions and default values # list of supported keys -keys="DEBUG MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW EMAIL_NOTIFICATION_TIMEOUT CORS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_EMAIL_MAP LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD" +keys="DEBUG MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW EMAIL_NOTIFICATION_TIMEOUT CORS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_EMAIL_MAP OAUTH2_REQUEST_PERMISSIONS LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD" # default values DESCRIPTION_DEBUG="Debug OIDC OAuth2 etc. Example: sudo snap set wekan debug='true'" @@ -166,6 +166,14 @@ DESCRIPTION_OAUTH2_FULLNAME_MAP="OAuth2 Fullname Mapping. Example: name" DEFAULT_OAUTH2_FULLNAME_MAP="" KEY_OAUTH2_FULLNAME_MAP="oauth2-fullname-map" +DESCRIPTION_OAUTH2_ID_TOKEN_WHITELIST_FIELDS="OAuth2 ID Token Whitelist Fields. Example: []" +DEFAULT_OAUTH2_ID_TOKEN_WHITELIST_FIELDS="[]" +KEY_OAUTH2_ID_TOKEN_WHITELIST_FIELDS="oauth2-id-token-whitelist-fields" + +DESCRIPTION_OAUTH2_REQUEST_PERMISSIONS="OAuth2 Request Permissions. Example: ['openid','profile','email']" +DEFAULT_OAUTH2_REQUEST_PERMISSIONS="['openid','profile','email']" +KEY_OAUTH2_REQUEST_PERMISSIONS="oauth2-request-permissions" + DESCRIPTION_OAUTH2_EMAIL_MAP="OAuth2 Email Mapping. Example: email" DEFAULT_OAUTH2_EMAIL_MAP="" KEY_OAUTH2_EMAIL_MAP="oauth2-email-map" diff --git a/snap-src/bin/wekan-help b/snap-src/bin/wekan-help index 59917395..56f418ff 100755 --- a/snap-src/bin/wekan-help +++ b/snap-src/bin/wekan-help @@ -130,6 +130,18 @@ echo -e "\t$ snap set $SNAP_NAME oauth2-token-endpoint='/oauth/token'" echo -e "\t-Disable the OAuth2 Token Endpoint of Wekan:" echo -e "\t$ snap set $SNAP_NAME oauth2-token-endpoint=''" echo -e "\n" +echo -e "OAuth2 ID Token Whitelist Fields." +echo -e "To enable the OAuth2 ID Token Whitelist Fields of Wekan:" +echo -e "\t$ snap set $SNAP_NAME oauth2-id-token-whitelist-fields='[]'" +echo -e "\t-Disable the OAuth2 ID Token Whitelist Fields of Wekan:" +echo -e "\t$ snap set $SNAP_NAME oauth2-id-token-whitelist-fields=''" +echo -e "\n" +echo -e "OAuth2 Request Permissions." +echo -e "To enable the OAuth2 Request Permissions of Wekan:" +echo -e "\t$ snap set $SNAP_NAME oauth2-request-permissions=\"['openid','profile','email']\"" +echo -e "\t-Disable the OAuth2 Request Permissions of Wekan:" +echo -e "\t$ snap set $SNAP_NAME oauth2-request-permissions=''" +echo -e "\n" echo -e "OAuth2 ID Mapping." echo -e "To enable the OAuth2 ID Mapping of Wekan:" echo -e "\t$ snap set $SNAP_NAME oauth2-id-map='username.uid'" diff --git a/start-wekan.bat b/start-wekan.bat index 7b204f13..72ab1fea 100755 --- a/start-wekan.bat +++ b/start-wekan.bat @@ -91,6 +91,25 @@ REM # OAuth2 Token Endpoint. Example: /oauth/token REM # example: OAUTH2_TOKEN_ENDPOINT=/oauth/token REM SET OAUTH2_TOKEN_ENDPOINT= + +REM # OAUTH2 ID Token Whitelist Fields. +REM SET OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[] + +REM # OAUTH2 Request Permissions. +REM SET OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email'] + +REM # OAuth2 ID Mapping +REM SET OAUTH2_ID_MAP= + +REM # OAuth2 Username Mapping +REM SET OAUTH2_USERNAME_MAP= + +REM # OAuth2 Fullname Mapping +REM SET OAUTH2_FULLNAME_MAP= + +REM # OAuth2 Email Mapping +REM SET OAUTH2_EMAIL_MAP= + REM ------------------------------------------------------------ REM # LDAP_ENABLE : Enable or not the connection by the LDAP diff --git a/start-wekan.sh b/start-wekan.sh index f94cb66c..25fd9bb1 100755 --- a/start-wekan.sh +++ b/start-wekan.sh @@ -141,6 +141,10 @@ function wekan_repo_check(){ #export OAUTH2_USERINFO_ENDPOINT=/oauth/userinfo # OAuth2 Token Endpoint. #export OAUTH2_TOKEN_ENDPOINT=/oauth/token + # OAUTH2 ID Token Whitelist Fields. + #export OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[] + # OAUTH2 Request Permissions. + #export OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email'] # OAuth2 ID Mapping #export OAUTH2_ID_MAP= # OAuth2 Username Mapping |