OAuth2
- More RocketChat fixes here
- OAuth2 small bug - currently OAuth2 works mostly
You can use some OAuth2 providers for logging into Wekan, for example:
- Auth0 - works
- Rocket.Chat - works
- GitLab - works
- Google - not tested yet
- LemonLDAP::NG - works
You can ask your identity provider (LDAP, SAML etc) do they support adding OAuth2 application like Wekan.
Thanks to derhelge who figured out GitLab login.
GitLab login related debugging
These are the settings (snap installation):
sudo snap set wekan oauth2-enabled='true'
sudo snap set wekan oauth2-client-id='xxx'
sudo snap set wekan oauth2-secret='xxx'
sudo snap set wekan oauth2-server-url='https://gitlab.example.com/'
sudo snap set wekan oauth2-auth-endpoint='oauth/authorize'
sudo snap set wekan oauth2-userinfo-endpoint='oauth/userinfo'
sudo snap set wekan oauth2-token-endpoint='oauth/token'
sudo snap set wekan oauth2-id-map='sub'
sudo snap set wekan oauth2-username-map='nickname'
sudo snap set wekan oauth2-fullname-map='name'
sudo snap set wekan oauth2-email-map='email'
sudo snap set wekan oauth2-request-permissions='openid profile email'And in GitLab you have to set the same scopes inside the created Application:
- openid
- profile
The redirect URL is described in the wekan wiki: https://wekan.example.com/_oauth/oidc
So for someone using snap, it means creating a file
/var/snap/rocketchat-server/common/override-setup-wizard.env(the name of the file itself could be anything as long as it has an .env extension) and setting its content toOVERWRITE_SETTING_Show_Setup_Wizard=completedThen, restarting the server by
systemctl restart snap.rocketchat-server.rocketchat-server.service
Also, if you have Rocket.Chat using LDAP/SAML/Google/etc for logging into Rocket.Chat, then same users can login to Wekan when Rocket.Chat is providing OAuth2 login to Wekan.
If there is existing username/password account in Wekan, OAuth2 merges both logins.
Source: OAuth2 Pull Request
https://github.com/wekan/wekan-mongodb/blob/master/docker-compose.yml#L146-L166
Rocket.Chat Snap has Node at port 3000 and mongodb at port 27017.
sudo snap install rocketchat-server
sudo systemctl disable rocketchat-server.rocketchat-caddy
sudo systemctl stop rocketchat-server.rocketchat-caddy
Wekan Snap has Node at port 3001 and MongoDB at port 27019.
sudo snap install wekan
sudo snap set wekan root-url='https://BOARDS.YOURDOMAIN.COM'
sudo snap set wekan port='3001'
sudo snap set core refresh.schedule=02:00-04:00
sudo snap set wekan with-api='true'
Email settings ARE NOT REQUIRED, Wekan works without setting up Email.
sudo snap set wekan mail-url='smtps:https://user:[email protected]:453'
sudo snap set wekan mail-from='Wekan Boards <[email protected]>'
Edit Caddyfile:
sudo nano /var/snap/wekan/common/Caddyfile
Add Caddy config. This uses free Let's Encrypt SSL. You can also use free CloudFlare wildcard SSL or any other SSL cert.
boards.yourdomain.com {
proxy / localhost:3001 {
websocket
transparent
}
}
chat.yourdomain.com {
proxy / localhost:3000 {
websocket
transparent
}
}
Enable Wekan's Caddy:
sudo snap set wekan caddy-enabled='true'
Login to Rocket.Chat at https://chat.yourdomain.com .
Accept chat URL to be https://chat.yourdomain.com .
Click: (3 dots) Options / Administration / OAuth Apps / NEW APPLICATION
CHANGE BELOW ONLY THOSE THAT ARE UPPER CASE, AND URLs TO LOWER CASE.
Add settings:
Active: [X] True
Application Name: WEKAN
Redirect URI: https://BOARDS.YOURDOMAIN.COM/_oauth/oidc
Client ID: abcde12345 <=== Rocket.Chat generates random text to here
Client Secret: 54321abcde <=== Rocket.Chat generates random text to here
Authorization URL: https://CHAT.YOURDOMAIN.COM/oauth/authorize
Access Token URL: https://CHAT.YOURDOMAIN.COM/oauth/token
Save Changes.
Copy below commands to auth.sh textfile, make it executeable chmod +x auth.sh and run it with ./auth.sh.
CHANGE BELOW ONLY THOSE THAT ARE UPPER CASE, AND URLs TO LOWER CASE.
sudo snap set wekan oauth2-enabled='true'
sudo snap set wekan oauth2-client-id='YOUR-CLIENT-ID'
sudo snap set wekan oauth2-secret='YOUR-CLIENT-SECRET'
sudo snap set wekan oauth2-server-url='https://CHAT.YOURDOMAIN.COM/'
sudo snap set wekan oauth2-auth-endpoint='oauth/authorize'
sudo snap set wekan oauth2-userinfo-endpoint='oauth/userinfo'
sudo snap set wekan oauth2-token-endpoint='oauth/token'
sudo snap set wekan oauth2-id-map='preffered_username'
sudo snap set wekan oauth2-username-map='preffered_username'
sudo snap set wekan oauth2-fullname-map='preffered_username'
sudo snap set wekan oauth2-email-map='email'
sudo snap set wekan debug='true'
Click Oidc button. Then:
sudo snap logs wekan.wekan
sudo systemctl status snap.wekan.wekan
-
Click
Sign in with Oidc -
Click
Authorize. This is asked only first time when logging in to Wekan with Rocket.Chat.
Currently Full Name is not preserved, so you need to change it.
-
Click
Your username / Profile -
Add info and Save.
-
At Rocket.Chat, Click: (3 dots) Options / Administration
-
There are many options at OAuth menu. Above and below of OAuth are also CAS, LDAP and SAML.
Auth0 can provide PasswordlessEmail/Google/Facebook/LinkedIn etc login options to Wekan.
CHANGE BELOW ONLY THOSE THAT ARE UPPER CASE, AND URLs TO LOWER CASE.
Client ID: <== Copy to below snap settings
Secret: <== Copy to below snap settings
Account url: YOURACCOUNT.eu.auth0.com <== Copy to below snap settings
Application Logo: <== Add your logo
Application Type: Single Page Application
Token Endpoint Authentication Method: Post
Allowed Callback URLs: https://BOARDS.YOURDOMAIN.COM/_oauth/oidc <== Change your Wekan address
Allowed Web Origins: https://BOARDS.YOURDOMAIN.COM <== Change your Wekan address
Use Auth0 instead of the IdP to do Single Sign On: [X]
If you need more info, they are at bottom of the page Advanced Settings / Endpoint / OAuth
- Auth0 Dashboard => Rules => Add Rule
CHANGE BELOW ONLY THOSE THAT ARE UPPER CASE, AND URLs TO LOWER CASE.
Rule Name: Encrich Wekan login
function (user, context, callback) {
// Only use this rule for Auth0 Dashboard / Applications / WekanApplication
if(context.clientName !== 'YOUR-APPLICATION-NAME'){
return callback(null, user, context);
}
user.user_metadata = user.user_metadata || {};
var ns = "https://BOARDS.YOURDOMAIN.COM/";
context.idToken[ns + "id"] = user.user_id;
context.idToken[ns + "email"] = user.email;
context.idToken[ns + "name"] = user.name || user.user_metadata.name;
context.idToken[ns + "picture"] = user.picture;
callback(null, user, context);
}
3) Snap settings, change to it from above client-id, secret, server-url and web-origin (=namespace for rules function above).
Note: namespace works for multiple apps. For example, you can use same namespace url for many different wekan board apps that have different client-id etc, and different board url, and still use same namespace url like https://boards.example.com .
CHANGE BELOW ONLY THOSE THAT ARE UPPER CASE.
sudo snap set wekan oauth2-client-id='YOUR-CLIENT-ID'
sudo snap set wekan oauth2-secret='YOUR-SECRET'
sudo snap set wekan oauth2-server-url='https://YOURACCOUNT.eu.auth0.com'
sudo snap set wekan oauth2-auth-endpoint='/authorize'
sudo snap set wekan oauth2-userinfo-endpoint='/userinfo'
sudo snap set wekan oauth2-token-endpoint='/oauth/token'
sudo snap set wekan oauth2-id-map='https://BOARDS.YOURDOMAIN.COM/id'
sudo snap set wekan oauth2-username-map='https://BOARDS.YOURDOMAIN.COM/email'
sudo snap set wekan oauth2-fullname-map='https://BOARDS.YOURDOMAIN.COM/name'
sudo snap set wekan oauth2-email-map='https://BOARDS.EXAMPLE.COM/email'
For login to work, you need to:
- Create first Admin user
- Add other users with REST API or Password registration
- Login with OIDC button
- Have Auth0 configured for passwordless email login (on some other login)
These do work currently so that Auth0 passwordless login to RocketChat does work, but there is some additional code also that is not added as PR to RocketChat yet. Code mainly has generating custom authorization cookie from user email with addition to RocketChat API, and using it and login_token + rc_token to check on RocketChat login page using router repeating trigger so that if those cookies exist then automatically login user in using RocketChat Custom OAuth2.
CHANGE BELOW ONLY THOSE THAT ARE UPPER CASE, AND URLs TO LOWER CASE.
Enable: [X] True
URL: https://YOURACCOUNT.eu.auth0.com/
Token Path: oauth/token
Token Sent Via: Payload
Identity Token Sent Via: Same as "Token Sent Via"
Identity Path: userinfo
Authorize Path: authorize
Scope: openid profile email
ID: YOUR-ACCOUNT-ID
Secret: YOUR-ACCOUNT-SECRET
Login Style: Redirect
Button Text: JOIN CHAT
Button Text Color: #FFFFFF
Button Color: #000000
Username field: (empty)
Merge users: [X] True
Official documentation : https://lemonldap-ng.org/documentation/latest/applications/wekan
Basically, you need to set theses variables to your wekan env :
OAUTH2_ENABLED: TRUE
OAUTH2_CLIENT_ID: ClientID
OAUTH2_SECRET: Secret
OAUTH2_SERVER_URL: https://auth.example.com/
OAUTH2_AUTH_ENDPOINT: oauth2/authorize
OAUTH2_USERINFO_ENDPOINT: oauth2/userinfo
OAUTH2_TOKEN_ENDPOINT: oauth2/token
OAUTH2_ID_MAP: sub
You need to set a new OpenID Connect Relay Party (RP) with theses parameters :
- Client ID: the same you set in Wekan configuration (same as OAUTH2_CLIENT_ID)
- Client Secret: the same you set in Wekan configuration (same as OAUTH2_SECRET)
- Add the following exported attributes
- name: session attribute containing the user's full name
- email: session attribute containing the user's email or _singleMail
See LLNG doc for more details