Changes

m
Line 54: Line 54:  
This code is to use the Google OAuth 2 authentication. It is available with version 18+.
 
This code is to use the Google OAuth 2 authentication. It is available with version 18+.
   −
*First enable the module OAuth on Dolibarr.
+
*First enable the [[Module OAuth]] on Dolibarr.
 
*Into the setup of the module, you must create an OAuth entry for provider Google and label "'''Login'''" (no other label will works). You will find a value for a '''Redirect URI''' that you must use in the next step.
 
*Into the setup of the module, you must create an OAuth entry for provider Google and label "'''Login'''" (no other label will works). You will find a value for a '''Redirect URI''' that you must use in the next step.
 
*Go on Google console https://console.cloud.google.com/ - Menu API and services - Credentials, and create an '''OAuth ID client'''. You must use the URL found at previous step as '''Authorized redirect URIs'''.
 
*Go on Google console https://console.cloud.google.com/ - Menu API and services - Credentials, and create an '''OAuth ID client'''. You must use the URL found at previous step as '''Authorized redirect URIs'''.
Line 70: Line 70:  
===OpenID Connect using the native method===
 
===OpenID Connect using the native method===
 
This is a new method available with Dolibarr v18 to connect using OpenID Connect.
 
This is a new method available with Dolibarr v18 to connect using OpenID Connect.
You can set the authentication method value to "openid_connect".
     −
<br />
     −
====On the Dolibarr host====
+
====In the Dolibarr conf file====
    
#Configure the authentication methods in <code>conf.php</code> (<code>/var/www/html/conf/conf.php</code>) and add <code>openid_connect</code>. For e.g.:
 
#Configure the authentication methods in <code>conf.php</code> (<code>/var/www/html/conf/conf.php</code>) and add <code>openid_connect</code>. For e.g.:
   −
<code>$dolibarr_main_authentication='openid_connect,dolibarr'</code>
+
<code>$dolibarr_main_authentication='openid_connect,dolibarr'</code>
<br />
+
 
 +
 
 +
==== Dolibarr application setup ====
 +
 
 +
Then you must set parameters and options of your openid connect service. From v21, you can enable the module OpenIDConnect to edit them. From v18 to v20, you must edit them from menu '''Home - Setup - Other'''.
 +
 
 +
{| class="wikitable"
 +
!Name
 +
!Example
 +
!Comment
 +
!Description
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_CLIENT_ID</code>
 +
|<code>My-Super-Awesome-Client-ID-1234</code>
 +
|OpenID Connect Client ID
 +
|Application client ID
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_CLIENT_SECRET</code>
 +
|<code>My-Very-Hidden-Client-Secret-1234</code>
 +
|OpenID Connect Client Secret
 +
|Application client secret
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_AUTHORIZE_URL</code>
 +
|<code><nowiki>https://tenant.us.auth0.com/oauth/authorize</nowiki></code>
 +
|OpenID Authorize URL
 +
|<code>/authorize</code> endpoint
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_TOKEN_URL</code>
 +
|<code><nowiki>https://tenant.us.auth0.com/oauth/token</nowiki></code>
 +
|OpenID Connect token URL
 +
|<code>/token</code> endpoint
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_USERINFO_URL</code>
 +
|<code><nowiki>https://tenant.us.auth0.com/userinfo</nowiki></code>
 +
|OpenID Connect userinfo URL
 +
|<code>/userinfo</code> endpoint
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_REDIRECT_URL</code>
 +
|<code><nowiki>https://dolibarr.domain.com/?openid_mode=true</nowiki></code>
 +
|OpenID Connect redirect URL
 +
|Dolibarr URL followed by <code>/?openid_mode=true</code>
 +
|-
 +
|<code>MAIN_AUTHENTICATION_OIDC_LOGIN_CLAIM</code>
 +
|<code>email</code>
 +
|OpenID Connect login claim
 +
|OpenID Connect claim matching the Dolibarr user login. If not set or empty, defaults to <code>email</code>
 +
|-
 +
|<code>MAIN_LOGOUT_GOTO_URL</code>
 +
|See later
 +
|Identity Provider logout URL
 +
|Composed IdP logout URL
 +
|}
 +
 
 +
 
 +
Source page https://github.com/Dolibarr/dolibarr/issues/22740.
    
====Composing <code>MAIN_AUTHENTICATION_OPENID_URL</code>====
 
====Composing <code>MAIN_AUTHENTICATION_OPENID_URL</code>====
    +
The MAIN_AUTHENTICATION_OPENID_URL will be generated (but if you prefer, you can set it manually from Home - Setup - Other) to
 +
 +
<pre>
 +
MAIN_AUTHENTICATION_OIDC_AUTHORIZE_URL?client_id=MAIN_AUTHENTICATION_OIDC_CLIENT_ID&redirect_uri=mydolibarr/core/modules/openid_connect/callback.php&scope=MAIN_AUTHENTICATION_OIDC_SCOPES&response_type=code
 +
</pre>
    
This is the main OpenID Connect authentication URL, which allows the user to log in and then be redirected back to Dolibarr. It makes use of some already existing OpenID 2.0 features.
 
This is the main OpenID Connect authentication URL, which allows the user to log in and then be redirected back to Dolibarr. It makes use of some already existing OpenID 2.0 features.
   −
#Retrieve the <code>/authorize</code> endpoint. The value depends on the used Identity Provider.  E.g.: <code><nowiki>https://tenant.us.auth0.com/authorize</nowiki></code>
+
#Retrieve the <code>/authorize</code> endpoint of your OpenID server. The value depends on the used Identity Provider.  E.g.: <code><nowiki>https://tenant.us.auth0.com/authorize</nowiki></code>
 
#Build the URL parameters:
 
#Build the URL parameters:
   Line 110: Line 167:  
|OAuth flow name, here we use <code>code</code> for the Authorization Code flow
 
|OAuth flow name, here we use <code>code</code> for the Authorization Code flow
 
|<code>code</code>
 
|<code>code</code>
 +
|-
 +
|state
 +
|A number
 +
|1234568
 
|}
 
|}
 
<br />
 
<br />
   −
# The final MAIN_AUTHENTICATION_OPENID_URL content should be like:  <code><nowiki>https://tenant.us.auth0.com/authorize?client_id=My-Super-Awesome-Client-ID-1234&redirect_uri=https%3A%2F%2Fdolibarr.domain.com%2F%3Fopenid_mode%3Dtrue&scope=openid</nowiki> profile email&response_type=code</code>
+
The final MAIN_AUTHENTICATION_OPENID_URL content should be like:  <code><nowiki>https://tenant.us.auth0.com/authorize?client_id=My-Super-Awesome-Client-ID-1234&redirect_uri=https%3A%2F%2Fdolibarr.domain.com%2F%3Fopenid_mode%3Dtrue&scope=openid</nowiki> profile email&response_type=code&state=anumber</code>
    
<br />
 
<br />
Line 139: Line 200:     
<br />
 
<br />
  −
==== Dolibarr application setup ====
  −
The final configuration step is to create the following values in '''Home > Setup > Other Setup'''.
  −
{| class="wikitable"
  −
!Name
  −
!Example
  −
!Comment
  −
!Description
  −
|-
  −
|<code>MAIN_AUTHENTICATION_OPENID_URL</code>
  −
|See above
  −
|OpenID Connect URL
  −
|Composed OpenID Connect URL
  −
|-
  −
|<code>MAIN_LOGOUT_GOTO_URL</code>
  −
|See above
  −
|Identity Provider logout URL
  −
|Composed IdP logout URL
  −
|-
  −
|<code>MAIN_AUTHENTICATION_OIDC_CLIENT_ID</code>
  −
|<code>My-Super-Awesome-Client-ID-1234</code>
  −
|OpenID Connect Client ID
  −
|Application client ID
  −
|-
  −
|<code>MAIN_AUTHENTICATION_OIDC_CLIENT_SECRET</code>
  −
|<code>My-Very-Hidden-Client-Secret-1234</code>
  −
|OpenID Connect Client Secret
  −
|Application client secret
  −
|-
  −
|<code>MAIN_AUTHENTICATION_OIDC_TOKEN_URL</code>
  −
|<code><nowiki>https://tenant.us.auth0.com/oauth/token</nowiki></code>
  −
|OpenID Connect token URL
  −
|<code>/token</code> endpoint
  −
|-
  −
|<code>MAIN_AUTHENTICATION_OIDC_USERINFO_URL</code>
  −
|<code><nowiki>https://tenant.us.auth0.com/userinfo</nowiki></code>
  −
|OpenID Connect userinfo URL
  −
|<code>/userinfo</code> endpoint
  −
|-
  −
|<code>MAIN_AUTHENTICATION_OIDC_REDIRECT_URL</code>
  −
|<code><nowiki>https://dolibarr.domain.com/?openid_mode=true</nowiki></code>
  −
|OpenID Connect redirect URL
  −
|Dolibarr URL followed by <code>/?openid_mode=true</code>
  −
|-
  −
|<code>MAIN_AUTHENTICATION_OIDC_LOGIN_CLAIM</code>
  −
|<code>email</code>
  −
|OpenID Connect login claim
  −
|OpenID Connect claim matching the Dolibarr user login. If not set or empty, defaults to <code>email</code>
  −
|}
  −
  −
  −
Source page https://github.com/Dolibarr/dolibarr/issues/22740.
      
===OpenID Connect using OpenID and the HTTP Basic of Apache===
 
===OpenID Connect using OpenID and the HTTP Basic of Apache===