Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen: wekan_oauth2_configuration_with_microsoft_azure
  • Deutsch (German)
  • English
  • Français (French)
de:technische-dokumentationen:installationsanleitungen:wekan_oauth2_configuration_with_microsoft_azure

Inhaltsverzeichnis

Wekan oauth2 configuration with Microsoft Azure

Version Status Datum Autor:in URL
0.1 Erster Entwurf 23.10.2023 Patrick Rutishauser

1. Summary

Minimal oauth2 configuration for Wekan, with Microsoft Azure.

2. Microsoft Azure - Create Enterprise application for Wekan

Create a new Enterprise application.

Create your own application. There isn’t currently a Wekan template in the Microsoft Entra Gallery.

Set a name for the application.

Not sure if the option “Integrate any other application you don’t find in the gallery (Non-gallery)” would work. We go with “Register an application to integrate with Microsoft Entra ID (App you’re developing)” option.

Multitenant setup not tested. Single tenant / domain (rafisatest only) should suffice. Redirect URL should be the DNS to wekan production. Extend the URI with “/_oauth/oidc”.

Go to the wekan application in Azure and create a new client secret.

24 months is the maximum. Secret needs to be renewed after this period.

Copy the client secret (Value, not the Secret ID). We need this later to configure oauth2 in Wekan.

Add permission for openid.

The first user who logs in / self-register, can Consent on behalf of the organization.

“As an administrator, you can grant permissions to this app on behalf of all users (delegated permissions). You can also grant permissions directly to this app (app permissions).”

3. Wekan oauth2 configuration

Below is a list of what needs to be configured in Wekan. (docker-compose.yml) 

          - OAUTH2_ENABLED=true
          - OAUTH2_CLIENT_ID=98af6bf2-9f62-467a-a59c-5611daf41ef5
          - OAUTH2_SECRET=HX68Q~0h1GtDeKCsxwYwlr85LtcR~E6mVOGqQdyR
          - OAUTH2_SERVER_URL=https://login.microsoftonline.com/3f27241d-d949-4cf1-a670-1c492efb689c
          - OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
          - OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
          - OAUTH2_TOKEN_ENDPOINT=/oauth2/v2.0/token
          - OAUTH2_ID_MAP=email
          - OAUTH2_USERNAME_MAP=email
          - OAUTH2_FULLNAME_MAP=name
          - OAUTH2_EMAIL_MAP=email

“OAUTH2_CLIENT_ID” is the azure Application (client) ID →

“OAUTH2_SECRET” is the secret Value →

“OAUTH2_SERVER_URL” see Endpoints for the application. ID is the “Directory (tenant) ID”

Snap Translation

A translation of the docker config option to snap settings. 

sudo snap set wekan oauth2-enabled='true'
sudo snap set wekan oauth2-client-id='c40bd7ff-61f1-4210-b216-fbdf3a7d4b35'
sudo snap set wekan oauth2-secret='Xyy8Q~04zpbTWaiUmanfGpsszw~V05DPloGmsddY'
sudo snap set wekan oauth2-server-url='https://login.microsoftonline.com/76154618-8054-4c16-b4e9-f8db7831e72d'
sudo snap set wekan oauth2-auth-endpoint='/oauth2/v2.0/authorize'
sudo snap set wekan oauth2-userinfo-endpoint='https://graph.microsoft.com/oidc/userinfo'
sudo snap set wekan oauth2-token-endpoint='/oauth2/v2.0/token'
sudo snap set wekan oauth2-id-map='email'
sudo snap set wekan oauth2-username-map='email'
sudo snap set wekan oauth2-fullname-map='name'
sudo snap set wekan oauth2-email-map='email'
sudo snap set wekan oauth2-request-permissions='openid'
sudo snap set wekan root-url='https://wekan.rafisa.net'
de/technische-dokumentationen/installationsanleitungen/wekan_oauth2_configuration_with_microsoft_azure.txt · Zuletzt geändert: 2023/10/24 16:09 von p.rutishauser