forked from potsda.mn/mobilizon
c4f8c30c41
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
113 lines
4.2 KiB
Markdown
113 lines
4.2 KiB
Markdown
# Authentification
|
||
|
||
## LDAP
|
||
|
||
Use LDAP for user authentication. When a user logs in to the Mobilizon instance, the email and password will be verified by trying to authenticate
|
||
(bind) to an LDAP server. If a user exists in the LDAP directory but there is no account with the same email yet on the Mobilizon instance then a new
|
||
Mobilizon account will be created (without needing email confirmation) with the same email as the LDAP email name.
|
||
|
||
!!! tip
|
||
As Mobilizon uses email for login and LDAP bind is often done with account UID/CN, we need to start by searching for LDAP account matching with this email. LDAP search without bind is often disallowed, so you'll probably need an admin LDAP user.
|
||
|
||
|
||
Change authentification method:
|
||
```elixir
|
||
config :mobilizon,
|
||
Mobilizon.Service.Auth.Authenticator,
|
||
Mobilizon.Service.Auth.LDAPAuthenticator
|
||
```
|
||
|
||
LDAP configuration under `:mobilizon, :ldap`:
|
||
|
||
* `enabled`: enables LDAP authentication
|
||
* `host`: LDAP server hostname
|
||
* `port`: LDAP port, e.g. 389 or 636
|
||
* `ssl`: true to use SSL, usually implies the port 636
|
||
* `sslopts`: additional SSL options
|
||
* `tls`: true to start TLS, usually implies the port 389
|
||
* `tlsopts`: additional TLS options
|
||
* `base`: LDAP base, e.g. "dc=example,dc=com"
|
||
* `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
|
||
* `require_bind_for_search` whether admin bind is required to perform search
|
||
* `bind_uid` the admin uid/cn for binding before searching
|
||
* `bind_password` the admin password for binding before searching
|
||
|
||
Example:
|
||
|
||
```elixir
|
||
config :mobilizon, :ldap,
|
||
enabled: true,
|
||
host: "localhost",
|
||
port: 636,
|
||
ssl: true,
|
||
sslopts: [],
|
||
tls: true,
|
||
tlsopts: [],
|
||
base: "ou=users,dc=example,dc=local",
|
||
uid: "cn",
|
||
require_bind_for_search: true,
|
||
bind_uid: "admin_account",
|
||
bind_password: "some_admin_password"
|
||
```
|
||
|
||
## OAuth
|
||
|
||
Mobilizon currently supports the following providers:
|
||
|
||
* [Discord](https://github.com/schwarz/ueberauth_discord)
|
||
* [Facebook](https://github.com/ueberauth/ueberauth_facebook)
|
||
* [Github](https://github.com/ueberauth/ueberauth_github)
|
||
* [Gitlab](https://github.com/mtchavez/ueberauth_gitlab) (including self-hosted)
|
||
* [Google](https://github.com/ueberauth/ueberauth_google)
|
||
* [Keycloak](https://github.com/Rukenshia/ueberauth_keycloak) (through OpenID Connect)
|
||
* [Twitter](https://github.com/Rukenshia/ueberauth_keycloak)
|
||
|
||
Support for [other providers](https://github.com/ueberauth/ueberauth/wiki/List-of-Strategies) can easily be added if requested.
|
||
|
||
!!! tip
|
||
We advise to look at each provider's README file for eventual specific instructions.
|
||
|
||
You'll have to start by registering an app at the provider. Be sure to activate features like "Sign-in with" and "emails" scope, as Mobilizon needs users emails to register them.
|
||
|
||
Add the configured providers to configuration (you may find the appropriate scopes on the provider's API documentation):
|
||
```elixir
|
||
config :ueberauth,
|
||
Ueberauth,
|
||
providers: [
|
||
gitlab: {Ueberauth.Strategy.Gitlab, [default_scope: "read_user"]},
|
||
keycloak: {Ueberauth.Strategy.Keycloak, [default_scope: "email"]}
|
||
# ...
|
||
]
|
||
```
|
||
|
||
In order for the « Sign-in with » buttons to be added on Register and Login pages, list your providers:
|
||
```elixir
|
||
config :mobilizon, :auth,
|
||
oauth_consumer_strategies: [
|
||
:gitlab,
|
||
{:keycloak, "My corporate account"}
|
||
# ...
|
||
]
|
||
```
|
||
|
||
!!! note
|
||
If you use the `{:provider_id, "Some label"}` form, the label will be used inside the buttons on Register and Login pages.
|
||
|
||
Finally add the configuration for each specific provider. The Client ID and Client Secret are at least required:
|
||
```elixir
|
||
config :ueberauth, Ueberauth.Strategy.Facebook.OAuth,
|
||
client_id: "some_numeric_id",
|
||
client_secret: "some_secret"
|
||
|
||
keycloak_url = "https://some-keycloak-instance.org"
|
||
|
||
# Realm may be something else than master
|
||
config :ueberauth, Ueberauth.Strategy.Keycloak.OAuth,
|
||
client_id: "some_id",
|
||
client_secret: "some_hexadecimal_secret",
|
||
site: keycloak_url,
|
||
authorize_url: "#{keycloak_url}/auth/realms/master/protocol/openid-connect/auth",
|
||
token_url: "#{keycloak_url}/auth/realms/master/protocol/openid-connect/token",
|
||
userinfo_url: "#{keycloak_url}/auth/realms/master/protocol/openid-connect/userinfo",
|
||
token_method: :post
|
||
``` |