====== Wekan oauth2 configuration with Microsoft Azure ======
^ Version ^ Status ^ Datum ^ Autor:in ^ URL ^
| 0.1| Erster Entwurf| 23.10.2023| Patrick Rutishauser| |
===== 1. Summary =====
Minimal oauth2 configuration for Wekan, with Microsoft Azure.
===== 2. Microsoft Azure - Create Enterprise application for Wekan =====
Create a new Enterprise application.
{{Pasted image 20231023131427.png}}
Create your own application. There isn’t currently a Wekan template in the Microsoft Entra Gallery.
{{Pasted image 20231023132002.png}}
Set a name for the application.
Not sure if the option “Integrate any other application you don’t find in the gallery (Non-gallery)” would work. We go with “Register an application to integrate with Microsoft Entra ID (App you’re developing)” option.
{{Pasted image 20231023132230.png}}
Multitenant setup not tested. Single tenant / domain (rafisatest only) should suffice. Redirect URL should be the DNS to wekan production. Extend the URI with “/_oauth/oidc”.
{{Pasted image 20231023132628.png}}
Go to the wekan application in Azure and create a new client secret.
{{Pasted image 20231023133200.png}}
24 months is the maximum. Secret needs to be renewed after this period.
{{Pasted image 20231023133258.png}}
Copy the client secret (Value, not the Secret ID). We need this later to configure oauth2 in Wekan.
{{Pasted image 20231023133448.png}}
Add permission for openid.
{{Pasted image 20231023133701.png}}
{{Pasted image 20231023133821.png}}
{{Pasted image 20231023133925.png}}
The first user who logs in / self-register, can Consent on behalf of the organization.
“As an administrator, you can grant permissions to this app on behalf of all users (delegated permissions). You can also grant permissions directly to this app (app permissions).”
{{Pasted image 20231023134019.png}}
===== 3. Wekan oauth2 configuration =====
Below is a list of what needs to be configured in Wekan. (docker-compose.yml)
- OAUTH2_ENABLED=true
- OAUTH2_CLIENT_ID=98af6bf2-9f62-467a-a59c-5611daf41ef5
- OAUTH2_SECRET=HX68Q~0h1GtDeKCsxwYwlr85LtcR~E6mVOGqQdyR
- OAUTH2_SERVER_URL=https://login.microsoftonline.com/3f27241d-d949-4cf1-a670-1c492efb689c
- OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
- OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
- OAUTH2_TOKEN_ENDPOINT=/oauth2/v2.0/token
- OAUTH2_ID_MAP=email
- OAUTH2_USERNAME_MAP=email
- OAUTH2_FULLNAME_MAP=name
- OAUTH2_EMAIL_MAP=email
“OAUTH2_CLIENT_ID” is the azure Application (client) ID ->
{{Pasted image 20231023134932.png}}
“OAUTH2_SECRET” is the secret Value ->
{{Pasted image 20231023133448.png}}
“OAUTH2_SERVER_URL” see Endpoints for the application. ID is the “Directory (tenant) ID”
{{Pasted image 20231023135234.png}}
=== Snap Translation ===
A translation of the docker config option to snap settings.
sudo snap set wekan oauth2-enabled='true'
sudo snap set wekan oauth2-client-id='c40bd7ff-61f1-4210-b216-fbdf3a7d4b35'
sudo snap set wekan oauth2-secret='Xyy8Q~04zpbTWaiUmanfGpsszw~V05DPloGmsddY'
sudo snap set wekan oauth2-server-url='https://login.microsoftonline.com/76154618-8054-4c16-b4e9-f8db7831e72d'
sudo snap set wekan oauth2-auth-endpoint='/oauth2/v2.0/authorize'
sudo snap set wekan oauth2-userinfo-endpoint='https://graph.microsoft.com/oidc/userinfo'
sudo snap set wekan oauth2-token-endpoint='/oauth2/v2.0/token'
sudo snap set wekan oauth2-id-map='email'
sudo snap set wekan oauth2-username-map='email'
sudo snap set wekan oauth2-fullname-map='name'
sudo snap set wekan oauth2-email-map='email'
sudo snap set wekan oauth2-request-permissions='openid'
sudo snap set wekan root-url='https://wekan.rafisa.net'