Added by Yann Bordenave almost 10 years ago
Hi OpenProject community,
I want to setup an OP instance for my company and I am stuck at the authentication configuration.
I installed OpenProject 4.1.3 via the debian package openproject-ce.
I would like to use the OpenID authentication (I saw that it can be used on this page https://www.openproject.org/2014/10/24/openproject-4-0-released/) but I can’t find any documentation about how to setup our instance to use our identity provider. Could you help me for this ?
And by the way, I can’t understand how the « LDAP authentication » menu in admin panel works. I wanted to setup the LDAP authentication but I can’t find where I set the LDAP host, dn, password. I just have a « name » field and voilà. It creates me an abstract authentication mode but no LDAP.
Am I missing something? The documentation (user guide) is very light about that point.
Thank you in advance for your help.
Regards.
Replies (11)
Hi
You need to setup the name and then go in the LDAP menu again and click it again.
Then you will have the full settings for LDAP.
But then the problem is getting it to work, i’ve tried everything on the dams platform (debian)
But without success…
I can’t even see packets going to port 389
Kind Regards
Update, i got it working, if you need help let me know ;-)
Hi,
Thanks for your reply. I did not see the link on the name, thank you for pointing it out.
I will try to setup LDAP. However, if someone has an insight about OpenID authentication, I am still interested as it should be our preferred way to authenticate.
Regards.
A little question regarding LDAP auth: I have checked the on-the-fly user creation. If I am correct, this is supposed to create my OP user account when I try to connect to OpenProject with my LDAP credential. Am I right?
Edit: In fact, I am stuck at the same point you were: When I try to log in or if I hit the “test” link, I do not have any packet sent to my LDAP server. How did you solved that ?
It is OK now : this is because OpenProject still set the Authentication method as “abstract”.
You must connect to your mysql server and run that command : update auth_sources set type = ‘LdapAuthSource’;
That line set the authentication method as LDAP and then OpenProject will use it as a valid authentication backend.
That done, I am still interested in getting OpenID working. If someone has successfully setup it in his instance, could he share his experience here? :)
Regards.
Hello,
I am currently investigating some issues regarding LDAP Authentication.
I could already identify and fix issues you were reporting about the wrong form being displayed at creation and subsequently, the
typeof the auth-source being wrong.I am issuing a PR against the
release/4.2branch, but can’t promise that it will make it into the next release of 4.2 (which is imminent).Hey Yann,
you’re right. Unfortunately the documentation is lacking there. I will amend it.
Until then here goes an explanation:
You can configure arbitrary OpenIDConnect providers in
config/configuration.ymlof your OpenProject installation. Example:default: openid_connect: google: identifier: "42ut40u34498t3890uto.apps.googleusercontent.com" secret: "589yu4hj5gh85" icon: "openid_connect/auth_provider-google.png" display_name: "Google"In the case of Google the only two required parameters are
identifierandsecret, which you get from Google. Theiconanddisplay_nameare optional.You can use your own icons, too. They have to be available under
public/assetsin your OpenProject installation. For instance the given icon is shipped with OpenProject already and can be found underpublic/assets/openid_connect/auth_provider-google.png.The display name is just the label used in OpenProject’s login screen.
As said before you can use arbitrary providers. They may require you to configure a couple more things, though. For example:
default: openid_connect: myprovider: port: 443 scheme: "https" host: "myprovider.com" identifier: ENV["OP_CLIENT_ID"] secret: ENV["OP_SECRET_KEY"] authorization_endpoint: "/authorize" token_endpoint: "/token" userinfo_endpoint: "/userinfo"A list of all options can be found here in the code of the gem we use.
As you see you can get the secrets from the environment. You can also just put them straight in there, though as strings.
If you need any help feel free to join us on gitter where I can help you out if you can stuck.
Is it also possible to set these options via ENV variables?
Yes it's supposed to be, technically. Although a recent bug was introduced that broke this. I've created a bug report for it and already created a bugfix PR.
The bugfix will likely be released with the next patch level release (12.1.5). Once this has been released you can configure this via env again.
The PR also adds some extra documentation showing what this would look like.
Thank you Markus. I missed the response on this.
So since the documentation says:
So this means that users with own OIDC providers like Authelia, GitLab, Nextcloud, Keycloak or Authentik won't be able to use OpenID Connect with OpenProject?
Did I understand this correctly?
It seems that the provider definition only maps a few URLs and logo anyway. So in theory these could be set via ENV variables as well, right?
For instance
OPENPROJECT_OPENID__CONNECT_AUTHORIZATION_ENDPOINTOPENPROJECT_OPENID__CONNECT_TOKEN_ENDPOINTOPENPROJECT_OPENID__CONNECT_USERINFO_ENDPOINTOPENPROJECT_OPENID__CONNECT_SEND_NONCEAlexander Adam wrote:
No, this only means these 3 are the providers which for which we have pre-defined the configurations.
You can use any OIDC provider you want but may have to adjust things as described in the docs. [1]
The docs also link to a list of all options [2] in the omniauth_openid_connect gem which we use.
Yes, you should be able to configure this through the environment now.
Mind, you have to escape underscores in the variable names.
So
token_endpointbecomesOPENPROJECT_OPENID__CONNECT_GITLAB_TOKEN__ENDPOINT.Where GITLAB is just an arbitrary identifier used in the callback URL for this configured provider.
[1] https://www.openproject.org/docs/installation-and-operations/misc/custom-openid-connect-providers/
[2] https://github.com/omniauth/omniauth_openid_connect#options-overview