Skip to content

Providers

Jump to bottom
GitHub Action edited this page Nov 20, 2023 · 21 revisions

This pages documents the setup at the OIDC provider.

Azure AD

Register an app with AAD

  1. Login as admin into tenant
  2. Open App registrations in Azure AD admin center
  3. Click new registration
  4. Pick a name, chose a "Supported account types"-option. Leave the default value, if you are not sure.
  5. For redirect uri, choice Web and enter the public endpoint of openvpn-auth-oauth2, for example https://openvpn-auth-oauth2.example.com/oauth2/callback.
  6. Click register.
  7. Copy the tenant-id and client-id. You need the both as configuration option for openvpn-auth-oauth2.
  8. After creation, select Certificates & secrets on the left side.
  9. Select the tab Client secrets and create a new client secret.
  10. Copy the client-secret. Need it as configuration option for openvpn-auth-oauth2.
  11. Then, select Token configuration on the left side.
  12. Add optional claim
  13. On the right panel, select ID as token type
  14. Select ipaddr from the list of claims.
  15. Select Add.

Configuration

  • CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/$TENANT_ID/v2.0
  • CONFIG_OAUTH2_CLIENT_ID=$CLIENT_ID
  • CONFIG_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET

References:

GitHub

Caveats

A user must explicitly request an organization give openvpn-auth-oauth2 resource access. openvpn-auth-oauth2 will not have the correct permissions to determine if the user is in that organization otherwise, and the user will not be able to log in. This request mechanism is a feature of the GitHub API.

Register the application in the identity provider¶

In GitHub, register a new application. The callback address should be the /oauth2/callback endpoint of your openvpn-auth-oauth2 URL (e.g. https://login.example.com/oauth2/callback).

After registering the app, you will receive an OAuth2 client ID and secret. These values will be inputted into the configuration below.

Configuration

  • CONFIG_OAUTH2_PROVIDER=github
  • CONFIG_OAUTH2_ISSUER=https://github.com
  • CONFIG_OAUTH2_CLIENT_ID=$CLIENT_ID
  • CONFIG_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
  • CONFIG_OAUTH2_VALIDATE_GROUPS=org
  • CONFIG_OAUTH2_VALIDATE_ROLES=org:team

Digitalocean

Register an application in Digitalocean

Developers must register their application to use OAuth. A registered application is assigned a client ID and client secret. The client secret should be kept confidential, and only used between the application and the DigitalOcean authorization server https://cloud.digitalocean.com/v1/oauth.

Configuration

  • CONFIG_OAUTH2_ISSUER=https://cloud.digitalocean.com/
  • CONFIG_OAUTH2_SCOPES=read
  • CONFIG_OAUTH2_ENDPOINT_TOKEN=https://cloud.digitalocean.com/v1/oauth/token
  • CONFIG_OAUTH2_ENDPOINT_AUTH=https://cloud.digitalocean.com/v1/oauth/authorize

Zitadel

Register an application in zitadel

  1. Create project in Zitadel
  2. Create new application in project
  3. Enter name and choose web type
  4. Authentication method - POST
  5. Redirect url - http://:9000/oauth2/callback
  6. Save Client ID and Client Secret to use below

After created application, on page URLs you can find all links which you need.

Configuration

  • CONFIG_HTTP_BASEURL=http://<vpn>:9000/
  • CONFIG_HTTP_LISTEN=:9000
  • CONFIG_HTTP_SECRET=1jd93h5b6s82lf03jh5b2hf9
  • CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
  • CONFIG_OPENVPN_PASSWORD=<password from /etc/openvpn/password.txt>
  • CONFIG_OAUTH2_ISSUER=https://company.zitadel.cloud
  • CONFIG_OAUTH2_SCOPES=openid profile email offline_access
  • CONFIG_OAUTH2_CLIENT_ID=<client_id>
  • CONFIG_OAUTH2_CLIENT_SECRET=<client_secret>

This wiki is synced with the docs folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.

Clone this wiki locally