Dolibarr ERP CRM Wiki

Changes

Authentication, SSO and SSL (view source)

Revision as of 15:50, 6 March 2025

4,526 bytes added ,  3 months ago
m
→‎Composing MAIN_AUTHENTICATION_OPENID_URL
Line 23: Line 23:     
==Mode dolibarr==
 
==Mode dolibarr==
With this method, the login and pass you entered on login page will be compared to the login and the hashed password saved into the Dolibarr database (Table llx_user).
+
With this method, the login and pass you entered on login page will be compared to the login and the hashed password saved into the Dolibarr database ([[Table llx_user]]).
    
==Mode http==
 
==Mode http==
Line 45: Line 45:     
==Mode forceuser==
 
==Mode forceuser==
When this method is used, there is no need to enter a login or password. No login page is show. The user will be automatically set to the one defined into the variable '''$dolibarr_auto_user''' saved into  '''htdocs/conf/conf.php'''
+
When this method is used, there is no need to enter a login or password. No login page is shown. The user will be automatically set to the one defined into the variable '''$dolibarr_auto_user''' saved into  '''htdocs/conf/conf.php'''
    
This mode is used only on development platforms. For example on an instance used to make demo or automated tests.
 
This mode is used only on development platforms. For example on an instance used to make demo or automated tests.
    
Note that the user must also exists as a existing user into the Dolibarr user database. Also the date of validity of this user must be valid.
 
Note that the user must also exists as a existing user into the Dolibarr user database. Also the date of validity of this user must be valid.
<br />
      
==Mode googleoauth==
 
==Mode googleoauth==
 
This code is to use the Google OAuth 2 authentication. It is available with version 18+.
 
This code is to use the Google OAuth 2 authentication. It is available with version 18+.
   −
* First enable the module OAuth on Dolibarr.
+
*First enable the [[Module OAuth]] on Dolibarr.
* Into the setup of the module, you must create an OAuth entry for provider Google and label "Login" (no other label will works). You will find a value for a '''Redirect URI''' that you must use in the next step.
+
*Into the setup of the module, you must create an OAuth entry for provider Google and label "'''Login'''" (no other label will works). You will find a value for a '''Redirect URI''' that you must use in the next step.
* Go on Google console https://console.cloud.google.com/ - Menu API and services - Credentials, and create an '''OAuth ID client'''. You must use the URL found at previous step as '''Authorized redirect URIs'''.
+
*Go on Google console https://console.cloud.google.com/ - Menu API and services - Credentials, and create an '''OAuth ID client'''. You must use the URL found at previous step as '''Authorized redirect URIs'''.
* Go back to the Dolibarr OAuth setup page to enter the '''client ID''' and '''secret ID''' of the OAuth entry you have created. Choose the scope/permissions "'''openid'''" and "'''email'''".
+
*Go back to the Dolibarr OAuth setup page to enter the '''client ID''' and '''secret ID''' of the OAuth entry you have created. Choose the scope/permissions "'''openid'''" and "'''email'''".
* Edit the file conf/conf.php and set $dolibarr_main_authentication to "googleoauth" or "dolibarr,googleoauth" to allow both authentication with login/pass and google OAuth2
+
*Edit the file conf/conf.php and set $dolibarr_main_authentication to "googleoauth" or "dolibarr,googleoauth" to allow both authentication with Dolibarr login/pass and with Google OAuth2
    
Now try to login. You must enter your Google account and you will be able to login without password if and only if a user exists into the Dolibarr database with the same email address than the one used to login to Google.
 
Now try to login. You must enter your Google account and you will be able to login without password if and only if a user exists into the Dolibarr database with the same email address than the one used to login to Google.
Line 71: Line 70:  
===OpenID Connect using the native method===
 
===OpenID Connect using the native method===
 
This is a new method available with Dolibarr v18 to connect using OpenID Connect.
 
This is a new method available with Dolibarr v18 to connect using OpenID Connect.
You can set the authentication method value to "openid_connect".
     −
See page https://github.com/Dolibarr/dolibarr/issues/22740 for other required setup.
+
 
 +
====In the Dolibarr conf file====
 +
 
 +
#Configure the authentication methods in <code>conf.php</code> (<code>/var/www/html/conf/conf.php</code>) and add <code>openid_connect</code>. For e.g.:
 +
 
 +
<code>$dolibarr_main_authentication='openid_connect,dolibarr'</code>
 +
 
 +
 
 +
==== Dolibarr application setup ====
 +
 
 +
Then you must set parameters and options of your openid connect service. From v21, you can enable the module OpenIDConnect to edit them. From v18 to v20, you must edit them from menu '''Home - Setup - Other'''.
 +
 
 +
{| class="wikitable"
 +
!Name
 +
!Example
 +
!Comment
 +
!Description
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_CLIENT_ID</code>
 +
|<code>My-Super-Awesome-Client-ID-1234</code>
 +
|OpenID Connect Client ID
 +
|Application client ID
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_CLIENT_SECRET</code>
 +
|<code>My-Very-Hidden-Client-Secret-1234</code>
 +
|OpenID Connect Client Secret
 +
|Application client secret
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_AUTHORIZE_URL</code>
 +
|<code><nowiki>https://tenant.us.auth0.com/oauth/authorize</nowiki></code>
 +
|OpenID Authorize URL
 +
|<code>/authorize</code> endpoint
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_TOKEN_URL</code>
 +
|<code><nowiki>https://tenant.us.auth0.com/oauth/token</nowiki></code>
 +
|OpenID Connect token URL
 +
|<code>/token</code> endpoint
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_USERINFO_URL</code>
 +
|<code><nowiki>https://tenant.us.auth0.com/userinfo</nowiki></code>
 +
|OpenID Connect userinfo URL
 +
|<code>/userinfo</code> endpoint
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_REDIRECT_URL</code>
 +
|<code><nowiki>https://dolibarr.domain.com/?openid_mode=true</nowiki></code>
 +
|OpenID Connect redirect URL
 +
|Dolibarr URL followed by <code>/?openid_mode=true</code>
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_LOGIN_CLAIM</code>
 +
|<code>email</code>
 +
|OpenID Connect login claim
 +
|OpenID Connect claim matching the Dolibarr user login. If not set or empty, defaults to <code>email</code>
 +
|-
 +
|<code>MAIN_LOGOUT_GOTO_URL</code>
 +
|See later
 +
|Identity Provider logout URL
 +
|Composed IdP logout URL
 +
|}
 +
 
 +
 
 +
Source page https://github.com/Dolibarr/dolibarr/issues/22740.
 +
 
 +
====Composing <code>MAIN_AUTHENTICATION_OPENID_URL</code>====
 +
 
 +
The MAIN_AUTHENTICATION_OPENID_URL will be generated (but if you prefer, you can set it manually from Home - Setup - Other) to
 +
 
 +
<pre>
 +
MAIN_AUTHENTICATION_OIDC_AUTHORIZE_URL?client_id=MAIN_AUTHENTICATION_OIDC_CLIENT_ID&redirect_uri=mydolibarr/core/modules/openid_connect/callback.php&scope=MAIN_AUTHENTICATION_OIDC_SCOPES&response_type=code
 +
</pre>
 +
 
 +
This is the main OpenID Connect authentication URL, which allows the user to log in and then be redirected back to Dolibarr. It makes use of some already existing OpenID 2.0 features.
 +
 
 +
#Retrieve the <code>/authorize</code> endpoint of your OpenID server. The value depends on the used Identity Provider.  E.g.: <code><nowiki>https://tenant.us.auth0.com/authorize</nowiki></code>
 +
#Build the URL parameters:
 +
 
 +
<br />
 +
{| class="wikitable"
 +
!Param name
 +
!Description
 +
!Example
 +
|-
 +
|client_id
 +
|Application client ID
 +
|<code>My-Super-Awesome-Client-ID-1234</code>
 +
|-
 +
|redirect_uri
 +
|Dolibarr URL followed by <code>/?openid_mode=true</code>, then URL encoded. Must be authorized as callback URL
 +
|Before URL encoding: <code><nowiki>https://dolibarr.domain.com/?openid_mode=true</nowiki></code> - After URL encoding: <code>https%3A%2F%2Fdolibarr.domain.com%2F%3Fopenid_mode%3Dtrue</code>
 +
|-
 +
|scope
 +
|OpenID scope of required user info
 +
|<code>openid profile email</code>
 +
|-
 +
|response_type
 +
|OAuth flow name, here we use <code>code</code> for the Authorization Code flow
 +
|<code>code</code>
 +
|-
 +
|state
 +
|A number
 +
|1234568
 +
|}
 +
<br />
 +
 
 +
The final MAIN_AUTHENTICATION_OPENID_URL content should be like:  <code><nowiki>https://tenant.us.auth0.com/authorize?client_id=My-Super-Awesome-Client-ID-1234&redirect_uri=https%3A%2F%2Fdolibarr.domain.com%2F%3Fopenid_mode%3Dtrue&scope=openid</nowiki> profile email&response_type=code&state=anumber</code>
 +
 
 +
<br />
 +
 
 +
==== Composing <code>MAIN_LOGOUT_GOTO_URL</code> ====
 +
 
 +
# Retrieve the <code>/logout</code> endpoint. The value depends on the used Identity Provider.  E.g.: <code><nowiki>https://tenant.us.auth0.com/v2/logout</nowiki></code>Build the URL parameters
 +
# Build the URL parameters
 +
 
 +
{| class="wikitable"
 +
!Param name
 +
!Description
 +
!Example
 +
|-
 +
|client_id
 +
|Application client ID
 +
|<code>My-Super-Awesome-Client-ID-1234</code>
 +
|-
 +
|returnTo
 +
|URL to be redirected to after logout. Use Dolibarr URL. Must be authorized as logout URL
 +
|<code><nowiki>https://dolibar.domain.com</nowiki></code>
 +
|}
 +
 
 +
# The final MAIN_LOGOUT_GOTO_URL content should be like:  <code><nowiki>https://tenant.us.auth0.com/v2/logout?client_id=My-Super-Awesome-Client-ID-1234&returnTo=https://dolibar.domain.com</nowiki></code>
 +
 
 +
<br />
    
===OpenID Connect using OpenID and the HTTP Basic of Apache===
 
===OpenID Connect using OpenID and the HTTP Basic of Apache===
Retrieved from "https://wiki.dolibarr.org/index.php?title=Special:MobileDiff/57413...62700"