move to oauth login [skip ci]

2022-03-14 10:02:16 +01:00 · 2022-03-14 10:02:16 +01:00 · ed3c1ff7c1
commit ed3c1ff7c1
parent a28393fde1
3 changed files with 35 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-[Roundcube](https://roundcube.net/) webmail interface with postgres backend.
+[Roundcube](https://roundcube.net/) webmail interface with postgres backend and oauth login.

 # Environment Variables
 ## DOMAINS
@ -39,29 +39,30 @@ Secret key for session secrets.

 Encryption algorithm for session secrets.

-## CARDDAV_PRESETS
-Configured preset addressbooks are created for a user as they log in.
+## OAUTH_PROVIDER_NAME
+Name of the oauth provider on the roundcube login page.

-For example:
-```$prefs['Personal'] = array(
-	// required attributes
-	'name'         =>  'Personal',
-	// will be substituted for the roundcube username
-	'username'     =>  '%u',
-	// will be substituted for the roundcube password
-	'password'     =>  '%p',
-	// %u will be substituted for the CardDAV username
-	'url'          =>  'https://my.nextcloud.org/remote.php/dav/addressbooks/users/%u/contacts/',
+## OAUTH_CLIENT_ID
+Client id for oauth login.

-	'active'       =>  true,
-	'readonly'     =>  false,
-	'refresh_time' => '02:00:00',
+## OAUTH_CLIENT_SECRET
+Client secret for oauth login.

-	'fixed'        =>  array( 'username' ),
-	'hide'        =>  false,
-);
+## OAUTH_AUTH_URI
+Auth uri for oauth login.
+
+Example for keycloak: `https://example.com/realms/master/protocol/openid-connect/auth`
+
+## OAUTH_TOKEN_URI
+Token uri for oauth login.
+
+Example for keycloak: `https://example.com/realms/master/protocol/openid-connect/token`
+
+## OAUTH_IDENTITY_URI
+Userinfo uri for oauth login.
+
+Example for keycloak: `https://example.com/realms/master/protocol/openid-connect/userinfo`

-```

 # Ports
 - 80
--- a/rootfs/etc/confd/templates/config.inc.php.tmpl
+++ b/rootfs/etc/confd/templates/config.inc.php.tmpl
@ -39,3 +39,15 @@ $config['plugins'] = array('archive', 'managesieve', 'zipdownload');

 $config['spellcheck_engine'] = 'pspell';
 $config['default_charset'] = 'UTF-8';
+
+$config['oauth_provider'] = 'generic';
+$config['oauth_provider_name'] = '{{getenv "OAUTH_PROVIDER_NAME"}}';
+$config['oauth_client_id'] = '{{getenv "OAUTH_CLIENT_ID"}}';
+$config['oauth_client_secret'] = '{{getenv "OAUTH_CLIENT_SECRET"}}';
+$config['oauth_auth_uri'] = '{{getenv "OAUTH_AUTH_URI"}}';
+$config['oauth_token_uri'] = '{{getenv "OAUTH_TOKEN_URI"}}';
+$config['oauth_identity_uri'] = '{{getenv "OAUTH_IDENTITY_URI"}}';
+$config['oauth_scope'] = 'email profile openid';
+$config['oauth_auth_parameters'] = [];
+$config['oauth_identity_fields'] = ['preferred_username'];
+$config['oauth_login_redirect'] = true;
--- a/rootfs/etc/confd/templates/nginx.conf.tmpl
+++ b/rootfs/etc/confd/templates/nginx.conf.tmpl
@ -22,7 +22,7 @@ http {
    {{range $domain := split (getenv "DOMAINS") ";"}}

    server {
-       listen 8080;
+        listen 8080;

        server_name {{ $domain }};

@ -48,6 +48,7 @@ http {
            fastcgi_param PATH_INFO $path_info;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param HTTPS on;
+			fastcgi_param SERVER_PORT 443;
            fastcgi_read_timeout 300;
            fastcgi_pass php;
        }