Add OAuth2 docs (d5bf3e5d) · Commits · cra / overleaf-ldap-oauth2

README.md

+56 −3

Original line number	Diff line number	Diff line
		@@ -54,8 +54,7 @@ it tries to authenticate against the specified LDAP server.
		- Admins can invite non ldap users directly (via email). Additionally (``link sharing`` of projects is possible).

		Important:
		Sharelatex/Overleaf uses the email address to identify users: If you change the email in the LDAP you have to update the corresponding field
		in the mongo db.
		Sharelatex/Overleaf uses the email address to identify users: If you change the email in the LDAP/OAuth you have to update the corresponding field in the mongo db.

		```
		docker exec -it mongo /bin/bash
		@@ -141,11 +140,47 @@ LDAP_CONTACTS: 'true'

		### OAuth2 Configuration

		GitHub:
		```
		# Enable OAuth2
		OAUTH2_ENABLED: "true"

		# Provider name, optional
		OAUTH2_PROVIDER: YOUR_OAUTH2_PROVIDER

		# OAuth2 client configuration,
		OAUTH2_CLIENT_ID: YOUR_OAUTH2_CLIENT_ID
		OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
		# Scope should at least include email
		OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE

		# OAuth2 APIs
		# Redirect to OAuth 2.0 url
		OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
		# Content type of authorization request
		# One of ["application/x-www-form-urlencoded", "application/json"]
		# Default "application/x-www-form-urlencoded"
		OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded"
		# Fetch access token api endpoint
		OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
		# Fetch user profile api endpoint
		OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL

		# OAuth2 user attributes
		# User identity
		OAUTH2_USER_ATTR_EMAIL: email
		# User attributes, only used on the first login
		OAUTH2_USER_ATTR_UID: id
		OAUTH2_USER_ATTR_FIRSTNAME: name
		OAUTH2_USER_ATTR_LASTNAME:
		OAUTH2_USER_ATTR_IS_ADMIN: site_admin
		```

		Example configuration for GitHub:

		```
		OAUTH2_ENABLED: "true"
		OAUTH2_PROVIDER: GitHub
		OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded"
		OAUTH2_CLIENT_ID: YOUR_CLIENT_ID
		OAUTH2_CLIENT_SECRET: YOUR_CLIENT_SECRET
		OAUTH2_SCOPE: # the 'public' scope is sufficient for our needs, so we do not request any more
		@@ -159,6 +194,24 @@ OAUTH2_USER_ATTR_LASTNAME:
		OAUTH2_USER_ATTR_IS_ADMIN: site_admin
		```

		Example configuration for Authentik:

		```
		OAUTH2_ENABLED: "true"
		OAUTH2_PROVIDER: GitHub
		OAUTH2_AUTHORIZATION_CONTENT_TYPE: "application/x-www-form-urlencoded"
		OAUTH2_CLIENT_ID: "redacted"
		OAUTH2_CLIENT_SECRET: "redacted"
		OAUTH2_AUTHORIZATION_URL: "https://auth.redacted.domain/application/o/authorize/"
		OAUTH2_TOKEN_URL: "https://auth.redacted.domain/application/o/token/"
		OAUTH2_PROFILE_URL: "https://auth.redacted.domain/application/o/userinfo/"
		OAUTH2_USER_ATTR_EMAIL: "email"
		OAUTH2_USER_ATTR_UID: "email"
		OAUTH2_USER_ATTR_FIRSTNAME: "name"
		#to make it work one should create a custom scope first
		OAUTH2_USER_ATTR_IS_ADMIN: "is_admin"
		```

		### Sharelatex Configuration

		Edit SHARELATEX_ environment variables in [docker-compose.traefik.yml](docker-compose.traefik.yml) or [docker-compose.certbot.yml](docker-compose.certbot.yml) to fit your local setup

docker-compose.certbot.yml

+1 −1

Original line number	Diff line number	Diff line
		@@ -88,8 +88,8 @@ services:
		# OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
		# OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
		# OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
		# OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
		# OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
		# OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
		# OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
		# OAUTH2_USER_ATTR_EMAIL: email
		# OAUTH2_USER_ATTR_UID: id

docker-compose.traefik.yml

+1 −1

Original line number	Diff line number	Diff line
		@@ -169,8 +169,8 @@ services:
		# OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
		# OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
		# OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
		# OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
		# OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
		# OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
		# OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
		# OAUTH2_USER_ATTR_EMAIL: email
		# OAUTH2_USER_ATTR_UID: id

docker-compose.yml

+1 −1

Original line number	Diff line number	Diff line
		@@ -86,8 +86,8 @@ services:
		# OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
		# OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
		# OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
		# OAUTH2_AUTHORIZATION_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
		# OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
		# OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
		# OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
		# OAUTH2_USER_ATTR_EMAIL: email
		# OAUTH2_USER_ATTR_UID: id

ldap-overleaf-sl/sharelatex/AuthenticationController.js

+1 −1

Original line number	Diff line number	Diff line
		@@ -300,7 +300,7 @@ const AuthenticationController = {
		}

		try {
		const contentType = process.env.OAUTH2_AUTHORIZATION_CONTENT_TYPE \|\| 'application/x-www-form-urlencoded'
		const contentType = process.env.OAUTH2_TOKEN_CONTENT_TYPE \|\| 'application/x-www-form-urlencoded'
		const bodyParams = {
		grant_type: "authorization_code",
		client_id: process.env.OAUTH2_CLIENT_ID,

Admin message