From ed3c1ff7c13646be8026b1a401186746d5f63ee1 Mon Sep 17 00:00:00 2001 From: Sebastian Hugentobler Date: Mon, 14 Mar 2022 10:02:16 +0100 Subject: [PATCH] move to oauth login [skip ci] --- README.md | 41 ++++++++++--------- .../etc/confd/templates/config.inc.php.tmpl | 12 ++++++ rootfs/etc/confd/templates/nginx.conf.tmpl | 3 +- 3 files changed, 35 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index cbdc3aa..bd17ad1 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[Roundcube](https://roundcube.net/) webmail interface with postgres backend. +[Roundcube](https://roundcube.net/) webmail interface with postgres backend and oauth login. # Environment Variables ## DOMAINS @@ -39,29 +39,30 @@ Secret key for session secrets. Encryption algorithm for session secrets. -## CARDDAV_PRESETS -Configured preset addressbooks are created for a user as they log in. +## OAUTH_PROVIDER_NAME +Name of the oauth provider on the roundcube login page. -For example: -```$prefs['Personal'] = array( - // required attributes - 'name' => 'Personal', - // will be substituted for the roundcube username - 'username' => '%u', - // will be substituted for the roundcube password - 'password' => '%p', - // %u will be substituted for the CardDAV username - 'url' => 'https://my.nextcloud.org/remote.php/dav/addressbooks/users/%u/contacts/', +## OAUTH_CLIENT_ID +Client id for oauth login. - 'active' => true, - 'readonly' => false, - 'refresh_time' => '02:00:00', +## OAUTH_CLIENT_SECRET +Client secret for oauth login. - 'fixed' => array( 'username' ), - 'hide' => false, -); +## OAUTH_AUTH_URI +Auth uri for oauth login. + +Example for keycloak: `https://example.com/realms/master/protocol/openid-connect/auth` + +## OAUTH_TOKEN_URI +Token uri for oauth login. + +Example for keycloak: `https://example.com/realms/master/protocol/openid-connect/token` + +## OAUTH_IDENTITY_URI +Userinfo uri for oauth login. + +Example for keycloak: `https://example.com/realms/master/protocol/openid-connect/userinfo` -``` # Ports - 80 diff --git a/rootfs/etc/confd/templates/config.inc.php.tmpl b/rootfs/etc/confd/templates/config.inc.php.tmpl index d91c281..60695e5 100644 --- a/rootfs/etc/confd/templates/config.inc.php.tmpl +++ b/rootfs/etc/confd/templates/config.inc.php.tmpl @@ -39,3 +39,15 @@ $config['plugins'] = array('archive', 'managesieve', 'zipdownload'); $config['spellcheck_engine'] = 'pspell'; $config['default_charset'] = 'UTF-8'; + +$config['oauth_provider'] = 'generic'; +$config['oauth_provider_name'] = '{{getenv "OAUTH_PROVIDER_NAME"}}'; +$config['oauth_client_id'] = '{{getenv "OAUTH_CLIENT_ID"}}'; +$config['oauth_client_secret'] = '{{getenv "OAUTH_CLIENT_SECRET"}}'; +$config['oauth_auth_uri'] = '{{getenv "OAUTH_AUTH_URI"}}'; +$config['oauth_token_uri'] = '{{getenv "OAUTH_TOKEN_URI"}}'; +$config['oauth_identity_uri'] = '{{getenv "OAUTH_IDENTITY_URI"}}'; +$config['oauth_scope'] = 'email profile openid'; +$config['oauth_auth_parameters'] = []; +$config['oauth_identity_fields'] = ['preferred_username']; +$config['oauth_login_redirect'] = true; diff --git a/rootfs/etc/confd/templates/nginx.conf.tmpl b/rootfs/etc/confd/templates/nginx.conf.tmpl index e4ec7f6..69289ed 100644 --- a/rootfs/etc/confd/templates/nginx.conf.tmpl +++ b/rootfs/etc/confd/templates/nginx.conf.tmpl @@ -22,7 +22,7 @@ http { {{range $domain := split (getenv "DOMAINS") ";"}} server { - listen 8080; + listen 8080; server_name {{ $domain }}; @@ -48,6 +48,7 @@ http { fastcgi_param PATH_INFO $path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS on; + fastcgi_param SERVER_PORT 443; fastcgi_read_timeout 300; fastcgi_pass php; }