Skip to content

Providers

Jump to bottom
GitHub Action edited this page Oct 29, 2023 · 21 revisions

This pages documents the setup at the OIDC provider.

Azure AD

Register an app with AAD

  1. Login as admin into tenant
  2. Open App registrations in Azure AD admin center
  3. Click new registration
  4. Pick a name, chose a "Supported account types"-option. Leave the default value, if you are not sure.
  5. For redirect uri, choice Web and enter the public endpoint of openvpn-auth-oauth2, for example https://openvpn-auth-oauth2.example.com/oauth2/callback.
  6. Click register.
  7. Copy the tenant-id and client-id. You need the both as configuration option for openvpn-auth-oauth2.
  8. After creation, select Certificates & secrets on the left side.
  9. Select the tab Client secrets and create a new client secret.
  10. Copy the client-secret. Need it as configuration option for openvpn-auth-oauth2.
  11. Then, select Token configuration on the left side.
  12. Add optional claim
  13. On the right panel, select ID as token type
  14. Select ipaddr from the list of claims.
  15. Select Add.

Configuration

  • CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/$TENANT_ID/v2.0
  • CONFIG_OAUTH2_CLIENT_ID=$CLIENT_ID
  • CONFIG_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET

References:

GitHub

Caveats

A user must explicitly request an organization give openvpn-auth-oauth2 resource access. openvpn-auth-oauth2 will not have the correct permissions to determine if the user is in that organization otherwise, and the user will not be able to log in. This request mechanism is a feature of the GitHub API.

Register the application in the identity provider¶

In GitHub, register a new application. The callback address should be the /oauth2/callback endpoint of your openvpn-auth-oauth2 URL (e.g. https://login.example.com/oauth2/callback).

After registering the app, you will receive an OAuth2 client ID and secret. These values will be inputted into the configuration below.

Configuration

  • CONFIG_OAUTH2_ISSUER=https://github.com
  • CONFIG_OAUTH2_CLIENT_ID=$CLIENT_ID
  • CONFIG_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
  • CONFIG_OAUTH2_ENDPOINT_AUTH=https://github.com/login/oauth/authorize
  • CONFIG_OAUTH2_ENDPOINT_TOKEN=https://github.com/login/oauth/access_token
  • CONFIG_OAUTH2_VALIDATE_GROUPS=org
  • CONFIG_OAUTH2_VALIDATE_ROLES=org:team

This wiki is synced with the docs folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.

Clone this wiki locally