-
-
Notifications
You must be signed in to change notification settings - Fork 25
Providers
This pages documents the setup at the OIDC provider.
- Login as admin into tenant
- Open App registrations in Azure AD admin center
- Click new registration
- Pick a name, chose a "Supported account types"-option. Leave the default value, if you are not sure.
- For redirect uri, choice Web and enter the public endpoint of
openvpn-auth-oauth2
, for examplehttps://openvpn-auth-oauth2.example.com/oauth2/callback
. - Click register.
- Copy the tenant-id and client-id. You need the both as configuration option for
openvpn-auth-oauth2
. - After creation, select
Certificates & secrets
on the left side. - Select the tab
Client secrets
and create a new client secret. - Copy the client-secret. Need it as configuration option for
openvpn-auth-oauth2
. - Then, select Token configuration on the left side.
- Add optional claim
- On the right panel, select
ID
as token type - Select
ipaddr
from the list of claims. - Select Add.
CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/$TENANT_ID/v2.0
CONFIG_OAUTH2_CLIENT_ID=$CLIENT_ID
CONFIG_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
References:
- https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
- https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
A user must explicitly request an organization give openvpn-auth-oauth2 resource access. openvpn-auth-oauth2 will not have the correct permissions to determine if the user is in that organization otherwise, and the user will not be able to log in. This request mechanism is a feature of the GitHub API.
In GitHub, register a new application. The callback address should be the /oauth2/callback endpoint of your openvpn-auth-oauth2 URL (e.g. https://login.example.com/oauth2/callback).
After registering the app, you will receive an OAuth2 client ID and secret. These values will be inputted into the configuration below.
CONFIG_OAUTH2_ISSUER=https://github.com
CONFIG_OAUTH2_CLIENT_ID=$CLIENT_ID
CONFIG_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
CONFIG_OAUTH2_ENDPOINT_AUTH=https://github.com/login/oauth/authorize
CONFIG_OAUTH2_ENDPOINT_TOKEN=https://github.com/login/oauth/access_token
CONFIG_OAUTH2_VALIDATE_GROUPS=org
CONFIG_OAUTH2_VALIDATE_ROLES=org:team
- Create project in Zitadel
- Create new application in project
- Enter name and choose web type
- Authentication method - POST
- Redirect url - http://:9000/oauth2/callback
- Save Client ID and Client Secret to use below
After created application, on page URLs you can find all links which you need.
CONFIG_HTTP_BASEURL=http://<vpn>:9000/
CONFIG_HTTP_LISTEN=:9000
CONFIG_HTTP_SECRET=1jd93h5b6s82lf03jh5b2hf9
CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
CONFIG_OPENVPN_PASSWORD=<password from /etc/openvpn/password.txt>
CONFIG_OAUTH2_ISSUER=https://company.zitadel.cloud
CONFIG_OAUTH2_SCOPES=openid profile email offline_access
CONFIG_OAUTH2_CLIENT_ID=<client_id>
CONFIG_OAUTH2_CLIENT_SECRET=<client_secret>
This wiki is synced with the docs
folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.