Changes

7,350 bytes added , 3 months ago

m

→‎Composing MAIN_AUTHENTICATION_OPENID_URL

Line 9: Line 9:

*ldap

*forceuser

−

*...

+

*googleoauth (for Google OAuth 2 authentication, Dolibarr 18+)...

You can combine several methods (some combinations are however technically not compatible). If you use several method (separated by a coma), you will try to authenticate using the first method and if it fails, the next method will be used. For example, if you set

Line 22: Line 22:

=Description of available authentication modes=

−

==dolibarr==

+

==Mode dolibarr==

−

With this method, the login and pass you entered on login page will be compared to the login and the hashed password saved into the Dolibarr database (Table llx_user).

+

With this method, the login and pass you entered on login page will be compared to the login and the hashed password saved into the Dolibarr database ([[Table llx_user]]).

−

==http==

+

==Mode http==

You can set the authentication mode to "http" if your Dolibarr web application is protected by an Apache http basic authentication form. The login/pass are stored into the file used by the HTTP Basic system to store passwords (it is often a file called '''.htpasswd''' if you used the '''mod_auth_basic''' + '''mod_authn_file''' plugin of Apache).

Line 34: Line 34:

Note that the user must also exists as a existing user into the Dolibarr user database. Also the date of validity of this user must be valid.

−

==ldap==

+

==Mode ldap==

If you set the authentication mode to LDAP, the test of the validity of your login and password are done using a LDAP database.

Line 44: Line 44:

−

==forceuser==

+

==Mode forceuser==

−

When this method is used, there is no need to enter a login or password. No login page is ~~show~~. The user will be automatically set to the one defined into the variable '''$dolibarr_auto_user''' saved into '''htdocs/conf/conf.php'''

+

When this method is used, there is no need to enter a login or password. No login page is shown. The user will be automatically set to the one defined into the variable '''$dolibarr_auto_user''' saved into '''htdocs/conf/conf.php'''

This mode is used only on development platforms. For example on an instance used to make demo or automated tests.

Note that the user must also exists as a existing user into the Dolibarr user database. Also the date of validity of this user must be valid.

+

==Mode googleoauth==

+

This code is to use the Google OAuth 2 authentication. It is available with version 18+.

+

*First enable the [[Module OAuth]] on Dolibarr.

+

*Into the setup of the module, you must create an OAuth entry for provider Google and label "'''Login'''" (no other label will works). You will find a value for a '''Redirect URI''' that you must use in the next step.

+

*Go on Google console https://console.cloud.google.com/ - Menu API and services - Credentials, and create an '''OAuth ID client'''. You must use the URL found at previous step as '''Authorized redirect URIs'''.

+

*Go back to the Dolibarr OAuth setup page to enter the '''client ID''' and '''secret ID''' of the OAuth entry you have created. Choose the scope/permissions "'''openid'''" and "'''email'''".

+

*Edit the file conf/conf.php and set $dolibarr_main_authentication to "googleoauth" or "dolibarr,googleoauth" to allow both authentication with Dolibarr login/pass and with Google OAuth2

+

Now try to login. You must enter your Google account and you will be able to login without password if and only if a user exists into the Dolibarr database with the same email address than the one used to login to Google.

+

==Mode openid==

+

The method "openid" is an old method for using openID.

+

Try to use instead the next method "openid_connect"

+

==Mode openid_connect==

+

===OpenID Connect using the native method===

+

This is a new method available with Dolibarr v18 to connect using OpenID Connect.

+

====In the Dolibarr conf file====

+

#Configure the authentication methods in <code>conf.php</code> (<code>/var/www/html/conf/conf.php</code>) and add <code>openid_connect</code>. For e.g.:

+

<code>$dolibarr_main_authentication='openid_connect,dolibarr'</code>

+

==== Dolibarr application setup ====

+

Then you must set parameters and options of your openid connect service. From v21, you can enable the module OpenIDConnect to edit them. From v18 to v20, you must edit them from menu '''Home - Setup - Other'''.

+

{| class="wikitable"

+

!Name

+

!Example

+

!Comment

+

!Description

+

|-

+

|<code>MAIN_AUTHENTICATION_OIDC_CLIENT_ID</code>

+

|<code>My-Super-Awesome-Client-ID-1234</code>

+

|OpenID Connect Client ID

+

|Application client ID

+

|-

+

|<code>MAIN_AUTHENTICATION_OIDC_CLIENT_SECRET</code>

+

|<code>My-Very-Hidden-Client-Secret-1234</code>

+

|OpenID Connect Client Secret

+

|Application client secret

+

|-

+

|<code>MAIN_AUTHENTICATION_OIDC_AUTHORIZE_URL</code>

+

|<code><nowiki>https://tenant.us.auth0.com/oauth/authorize</nowiki></code>

+

|OpenID Authorize URL

+

|<code>/authorize</code> endpoint

+

|-

+

|<code>MAIN_AUTHENTICATION_OIDC_TOKEN_URL</code>

+

|<code><nowiki>https://tenant.us.auth0.com/oauth/token</nowiki></code>

+

|OpenID Connect token URL

+

|<code>/token</code> endpoint

+

|-

+

|<code>MAIN_AUTHENTICATION_OIDC_USERINFO_URL</code>

+

|<code><nowiki>https://tenant.us.auth0.com/userinfo</nowiki></code>

+

|OpenID Connect userinfo URL

+

|<code>/userinfo</code> endpoint

+

|-

+

|<code>MAIN_AUTHENTICATION_OIDC_REDIRECT_URL</code>

+

|<code><nowiki>https://dolibarr.domain.com/?openid_mode=true</nowiki></code>

+

|OpenID Connect redirect URL

+

|Dolibarr URL followed by <code>/?openid_mode=true</code>

+

|-

+

|<code>MAIN_AUTHENTICATION_OIDC_LOGIN_CLAIM</code>

+

|<code>email</code>

+

|OpenID Connect login claim

+

|OpenID Connect claim matching the Dolibarr user login. If not set or empty, defaults to <code>email</code>

+

|-

+

|<code>MAIN_LOGOUT_GOTO_URL</code>

+

|See later

+

|Identity Provider logout URL

+

|Composed IdP logout URL

+

|}

+

Source page https://github.com/Dolibarr/dolibarr/issues/22740.

+

====Composing <code>MAIN_AUTHENTICATION_OPENID_URL</code>====

+

The MAIN_AUTHENTICATION_OPENID_URL will be generated (but if you prefer, you can set it manually from Home - Setup - Other) to

+

<pre>

+

MAIN_AUTHENTICATION_OIDC_AUTHORIZE_URL?client_id=MAIN_AUTHENTICATION_OIDC_CLIENT_ID&redirect_uri=mydolibarr/core/modules/openid_connect/callback.php&scope=MAIN_AUTHENTICATION_OIDC_SCOPES&response_type=code

+

</pre>

+

This is the main OpenID Connect authentication URL, which allows the user to log in and then be redirected back to Dolibarr. It makes use of some already existing OpenID 2.0 features.

+

#Retrieve the <code>/authorize</code> endpoint of your OpenID server. The value depends on the used Identity Provider. E.g.: <code><nowiki>https://tenant.us.auth0.com/authorize</nowiki></code>

+

#Build the URL parameters:

+

+

{| class="wikitable"

+

!Param name

+

!Description

+

!Example

+

|-

+

|client_id

+

|Application client ID

+

|<code>My-Super-Awesome-Client-ID-1234</code>

+

|-

+

|redirect_uri

+

|Dolibarr URL followed by <code>/?openid_mode=true</code>, then URL encoded. Must be authorized as callback URL

+

|Before URL encoding: <code><nowiki>https://dolibarr.domain.com/?openid_mode=true</nowiki></code> - After URL encoding: <code>https%3A%2F%2Fdolibarr.domain.com%2F%3Fopenid_mode%3Dtrue</code>

+

|-

+

|scope

+

|OpenID scope of required user info

+

|<code>openid profile email</code>

+

|-

+

|response_type

+

|OAuth flow name, here we use <code>code</code> for the Authorization Code flow

+

|<code>code</code>

+

|-

+

|state

+

|A number

+

|1234568

+

|}

−

==~~googleauth~~==

+

The final MAIN_AUTHENTICATION_OPENID_URL content should be like: <code><nowiki>https://tenant.us.auth0.com/authorize?client_id=My-Super-Awesome-Client-ID-1234&redirect_uri=https%3A%2F%2Fdolibarr.domain.com%2F%3Fopenid_mode%3Dtrue&scope=openid</nowiki> profile email&response_type=code&state=anumber</code>

−

~~This method is still in development and is not yet available~~

+

−

==~~openid~~==

+

==== Composing <code>MAIN_LOGOUT_GOTO_URL</code> ====

−

~~This method is not yet available and still in development.~~

+

# Retrieve the <code>/logout</code> endpoint. The value depends on the used Identity Provider. E.g.: <code><nowiki>https://tenant.us.auth0.com/v2/logout</nowiki></code>Build the URL parameters

+

# Build the URL parameters

−

~~However, if~~ you need to connect using OpenID, you can ~~already~~ do it using the following solution:

+

{| class="wikitable"

+

!Param name

+

!Description

+

!Example

+

|-

+

|client_id

+

|Application client ID

+

|<code>My-Super-Awesome-Client-ID-1234</code>

+

|-

+

|returnTo

+

|URL to be redirected to after logout. Use Dolibarr URL. Must be authorized as logout URL

+

|<code><nowiki>https://dolibar.domain.com</nowiki></code>

+

|}

+

# The final MAIN_LOGOUT_GOTO_URL content should be like: <code><nowiki>https://tenant.us.auth0.com/v2/logout?client_id=My-Super-Awesome-Client-ID-1234&returnTo=https://dolibar.domain.com</nowiki></code>

+

+

===OpenID Connect using OpenID and the HTTP Basic of Apache===

+

If you need to connect using OpenID Connect without using the native method (for example for Dolibarr < 18), you can also do it using the following solution:

−

~~===Connect to dolibarr using Openid and the HTTP Basic of Apache===~~

The idea is to use two elements:

Line 74: Line 215:

−

...

+

...

+

OIDCProviderMetadataURL https://login.microsoftonline.com/your-tenant-id/v2.0/.well-known/openid-configuration

+

OIDCClientID youropenidclient

+

OIDCClientSecret yoursecret

+

OIDCCryptoPassphrase randomstring

+

OIDCRedirectURI https://mydolibarr.example.com/sso_redirect

+

OIDCScope "openid email profile"

+

OIDCRemoteUserClaim email ^(.*)@

+

# Disable openid-connect if using DoliDroid

+

SetEnvIf User-Agent DoliDroid no-auth

+

+

# Docroot

+

AuthType openid-connect

+

Require valid-user

+

Require env no-auth

+

</Directory>

+

# Disallow openid-connect on some public pages or services

+

# Leaving /public and /api, /dav, .well_known but also wrappers for document, viewimage and public json/img accessible to everyone

+

+

AuthType None

+

Satisfy any

+

Require all granted

+

</Directory>

+

+

AuthType None

+

Satisfy any

+

Require all granted

+

</Directory>

+

+

AuthType None

+

Satisfy any

+

Require all granted

+

</Directory>

+

+

AuthType None

+

Satisfy any

+

Require all granted

+

</Directory>

−

~~OIDCProviderMetadataURL https://login~~.~~microsoftonline~~.~~com/your-tenant-id/v2~~.0/.~~well-known/openid-configuration~~

+

−

~~OIDCClientID youropenidclient~~

+

AuthType None

−

~~OIDCClientSecret yoursecret~~

+

Require all granted

−

~~OIDCCryptoPassphrase randomstring~~

+

Satisfy any

−

~~OIDCRedirectURI https://mydolibarr.example.com~~/~~sso_redirect~~

+

</Files>

−

~~OIDCScope "openid email profile"~~

−

~~OIDCRemoteUserClaim email ^(.*)@~~

−

~~# Disable openid-connect if using DoliDroid~~

−

~~SetEnvIf User-Agent DoliDroid no-auth~~

−

~~<Directory /home/...~~/~~htdocs>~~

+

# And to support/manage the disconnetion

−

~~# Docroot~~

+

RewriteEngine on

−

~~AuthType openid-connect~~

+

RewriteCond %{REQUEST_URI} /user/logout.php

−

~~Require valid-~~user

+

RewriteRule ^ /sso_redirect?logout= [R,L]

−

~~Require env no-auth~~

−

</~~Directory>~~

</syntaxhighlight>

Eldy

Bureaucrats, Interface administrators, Administrators

29,276

edits

Changes

Authentication, SSO and SSL (view source)

Revision as of 15:50, 6 March 2025