-
-
Notifications
You must be signed in to change notification settings - Fork 25
Providers
This page documents the setup at the OIDC provider.
- Sign in to your admin account on the tenant.
- Navigate to the App registrations page in the Azure AD admin center.
- Click on the
New registration
button to start the process of registering a new application. - Enter a unique name for your application in the
Name
field. - In the
Supported account types
section, select the appropriate option based on your requirements. If unsure, leave the default value selected. - For the
Redirect URI
, selectWeb
from the dropdown menu and input the public endpoint of youropenvpn-auth-oauth2
instance. For example,https://openvpn-auth-oauth2.example.com/oauth2/callback
. - Click on the
Register
button to create the application. - Once the application is created, navigate to the
Certificates & secrets
section on the left-hand side menu. - In the
Client secrets
tab, click onNew client secret
to generate a new secret for your application. - Copy the generated client secret. This will be used as a configuration option for
openvpn-auth-oauth2
. - Navigate to the
Token configuration
section on the left-hand side menu. - Click on
Add optional claim
to add a new claim to your tokens. - In the right panel, select
ID
as the token type. - From the list of available claims, select
ipaddr
. - Click on
Add
to include this claim in your tokens.
References:
- https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
- https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/$TENANT_ID/v2.0
CONFIG_OAUTH2_CLIENT_ID=$CLIENT_ID
CONFIG_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
Restrict login based on groups can be configured inside the App Registration directly. This is generally prefered, since users get the notice from Azure that they are not part of the group and the login would be denied.
How require multiple groups, check you could define CONFIG_OAUTH2_VALIDATE_GROUPS
.
- Login as admin into your Google console.
- In the project Dashboard center pane, choose "APIs & Services".
- If necessary, complete the
OAuth consent screen
wizard. You will probably want to create anInternal
application.- If you reuse an existing application, your users may already have given consent for the usage of this application, which may not include refresh tokens. If this is the case, add
CONFIG_OAUTH2_AUTHORIZE__PARAMS="prompt=consent"
to your configuration.
- If you reuse an existing application, your users may already have given consent for the usage of this application, which may not include refresh tokens. If this is the case, add
- In the left Nav pane, choose "Credentials".
- In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.
- In the center pane, choose "Credentials" tab.
- Open the "New credentials"** drop down
- Choose "OAuth client ID"
- Choose "Web application"
- Application name is freeform, choose something appropriate
- Authorized redirect URIs is the location of oauth2/callback ex: https://yourdomain:9000/oauth2/callback
- Choose "Create"
- Take note of the Client ID and Client Secret.
To allow openvpn-auth-oauth2 to fetch group information from Google,
you will need to configure a service account for openvpn-auth-oauth2 to use.
This account needs Domain-Wide Delegation and permission
to access the https://www.googleapis.com/auth/admin.directory.group.readonly
API scope.
-
Create a service account and
- if you are using Application Default Credentials (recommended), make sure to assign the Service Account with the
Service Account Token Creator
role. - if you are not using Application Default Credentials,
you will need to create a new key (under KEYS) and after that download the Service Account JSON.
This needs storing in a location accessible by
openvpn-auth-oauth2
and you will set theprovider.google.service-account-config
to point at it.
- if you are using Application Default Credentials (recommended), make sure to assign the Service Account with the
-
Make note of the
Unique ID
for a future step. -
Under "APIs & Auth", choose APIs.
-
Click on Admin SDK API and then Enable API.
-
Follow the steps on https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account and give the Unique ID (as Client ID) from step 2 the following oauth scopes:
https://www.googleapis.com/auth/admin.directory.group.readonly
-
Follow the steps on https://support.google.com/a/answer/60757 to enable Admin API access.
-
Permit access to the Admin SDK API for the service account.
Only one of the following is required:
-
Assign a role to a service account (preferred)
- In the Google Admin console, go Account > Admin roles page.
- Point to the role that you want to assign (e.g. Groups reader), and then click Assign admin
- Click Assign service accounts
- Enter the email address of the service account.
- Click Add > Assign role.
-
Admin impersonation
Create or choose an existing administrative email address on the Gmail domain to assign to the
providers.google.admin-emails
flag. This email will be impersonated by this client to make calls to the Admin SDK.
-
-
Create or choose an existing email group and set that email to the
oauth2.validate.groups
flag. You can pass multiple instances of this flag with different groups, and the user will be checked against all the provided groups. -
If not using Application Default Credentials, Lock down the permissions on the json file downloaded from step 1 so only
openvpn-auth-oauth2
is able to read the file and set the path to the file in theprovider.google.service-account-config=file://<path-to-json>
flag.
Using Application Default Credentials (ADC) / Workload Identity / Workload Identity Federation (recommended)
openvpn-auth-oauth2 can make use of Application Default Credentials
if provider.google.service-account-config
is unset.
When deployed within GCP, this means that it can automatically use the service account attached to the resource. When deployed to GKE, ADC can be leveraged through a feature called Workload Identity. Follow Google's guide to set up Workload Identity. When deployed outside GCP, Workload Identity Federation might be an option.
Google Directory API requires a service account to access the group information.
If Workload Identity is used, provider.google.impersonate-account
should be set to the full email address of the service account used (service-account-name@<project_id>.iam.gserviceaccount.com
).
Reference:
Set the following variables in your openvpn-auth-oauth2 configuration file:
CONFIG_OAUTH2_PROVIDER=google
CONFIG_OAUTH2_ISSUER=https://accounts.google.com
CONFIG_OAUTH2_CLIENT_ID=162738495-xxxxx.apps.googleusercontent.com
CONFIG_OAUTH2_CLIENT_SECRET=GOCSPX-xxxxxxxx
# If using ADC
CONFIG_PROVIDER_GOOGLE_IMPERSONATE__ACCOUNT=service-account-name@<project_id>.iam.gserviceaccount.com
# If not using ADC
CONFIG_PROVIDER_GOOGLE_SERVICE__ACCOUNT__CONFIG=file://<path-to-json>
# If Group Read role not assigned in Admin console.
# CONFIG_PROVIDER_GOOGLE_ADMIN__EMAIL=admin@example.com
- Sign in to your admin account on the Keycloak admin console.
- Choose an existing realm or create a new one.
- Create a new client:
- Set the Client ID as
openvpn-auth-oauth2
. - Set the Client Type as
OpenID Connect
. - Name the client as
openvpn-auth-oauth2
.
- Set the Client ID as
- In the capability configuration page, enable 'Client authentication' and 'Standard flow' for the Authentication flow. Make sure 'Authorization' is turned off.
- In the login settings page, set the following values:
- Root URL:
https://openvpn-auth-oauth2.example.com
- Valid Redirect URIs:
https://openvpn-auth-oauth2.example.com/oauth2/callback
- Web Origins:
https://openvpn-auth-oauth2.example.com
- Click 'Save'.
- Root URL:
- Navigate to the 'Credentials' tab and note down the Client ID and Client Secret.
Set the following variables in your openvpn-auth-oauth2
configuration file:
CONFIG_OAUTH2_ISSUER=https://<keycloak-domain>/auth/realms/<realm-name>
CONFIG_OAUTH2_CLIENT_ID=openvpn-auth-oauth2
CONFIG_OAUTH2_CLIENT_SECRET=<client-secret>
Currently, there is no known configuration to enrich the token with the client's IP address in Keycloak. If you know how to do this, please contribute to the documentation.
A user must explicitly request an organization give openvpn-auth-oauth2 resource access. openvpn-auth-oauth2 will not have the correct permissions to determine if the user is in that organization otherwise, and the user will not be able to log in. This request mechanism is a feature of the GitHub API.
In GitHub, register a new application. The callback address should be the /oauth2/callback endpoint of your openvpn-auth-oauth2 URL (e.g. https://login.example.com/oauth2/callback).
After registering the app, you will receive an OAuth2 client ID and secret. These values will be inputted into the configuration below.
CONFIG_OAUTH2_PROVIDER=github
CONFIG_OAUTH2_ISSUER=https://github.com
CONFIG_OAUTH2_CLIENT_ID=$CLIENT_ID
CONFIG_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
CONFIG_OAUTH2_VALIDATE_GROUPS=org
CONFIG_OAUTH2_VALIDATE_ROLES=org:team
Developers must register their application to use OAuth. A registered application is assigned a client ID and client secret. The client secret should be kept confidential, and only used between the application and the DigitalOcean authorization server https://cloud.digitalocean.com/v1/oauth.
CONFIG_OAUTH2_ISSUER=https://cloud.digitalocean.com/
CONFIG_OAUTH2_SCOPES=read
CONFIG_OAUTH2_ENDPOINT_TOKEN=https://cloud.digitalocean.com/v1/oauth/token
CONFIG_OAUTH2_ENDPOINT_AUTH=https://cloud.digitalocean.com/v1/oauth/authorize
- Create a project in Zitadel
- Create a new application in a project
- Enter name and choose a web type
- Authentication method: POST
- Redirect URL: http://:9000/oauth2/callback
- Save Client ID and Client Secret to use below
After creating application, on page URLs you can find all links that you need.
CONFIG_HTTP_BASEURL=http://<vpn>:9000/
CONFIG_HTTP_LISTEN=:9000
CONFIG_HTTP_SECRET=1jd93h5b6s82lf03jh5b2hf9
CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
CONFIG_OPENVPN_PASSWORD=<password from /etc/openvpn/password.txt>
CONFIG_OAUTH2_ISSUER=https://company.zitadel.cloud
CONFIG_OAUTH2_SCOPES=openid profile email offline_access
CONFIG_OAUTH2_CLIENT_ID=<client_id>
CONFIG_OAUTH2_CLIENT_SECRET=<client_secret>
This wiki is synced with the docs
folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.