mirror
/
wg-easy
mirror of https://github.com/wg-easy/wg-easy
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1420 Commits
5 Branches
28 Tags
18 MiB
 
 
 
 
 
Tree: 09c358522b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '09c358522b'
${ noResults }
wg-easy/docs/content/advanced/config/external-authentication.md

3.8 KiB
Raw Blame History

title
External Authentication

OAuth

Providers

To enable OAuth set the env var OAUTH_PROVIDERS to any of the following providers:

Provider Value
Google google
GitHub github
Generic OIDC oidc

You can enable multiple providers by separating them with a comma:

e.g. google,github

Redirect URIs

You have to configure the following redirect URIs in your OAuth provider:

  • https://<your-domain>/api/auth/<provider>/callback Used to log in to with the provider
  • https://<your-domain>/api/auth/<provider>/link Used to link an existing account to the provider

If your provider does not support multiple redirect URIs (e.g. GitHub) but allows multiple URIs under the same base, then configure:

  • https://<your-domain>/api/auth/<provider>/

Google

Env Required Example Description
OAUTH_GOOGLE_CLIENT_ID ✔️ - Google Client ID
OAUTH_GOOGLE_CLIENT_SECRET ✔️ - Google Client Secret
OAUTH_GOOGLE_ALLOWED_DOMAIN ✖️ example.com Restrict login to a specific email domain

Setup

  1. Go to Google Cloud Console
  2. Create an OAuth 2.0 Client ID (Web application)
  3. Add Authorized redirect URI: See Redirect URIs
  4. Copy the Client ID and Client Secret to the environment variables

GitHub

Env Required Example Description
OAUTH_GITHUB_CLIENT_ID ✔️ xxx GitHub Client ID
OAUTH_GITHUB_CLIENT_SECRET ✔️ xxx GitHub Client Secret

Generic OIDC

This supports generic OIDC providers like Authelia, Authentik, etc.

The provider needs to support:

  • PKCE
  • default scopes: openid email profile
  • Client Secret Authentication client_secret_post

The provider needs to be available with HTTPS and have a valid certificate.

Env Required Default Example Description
OAUTH_OIDC_SERVER ✔️ - https://auth.example.com OIDC Server
OAUTH_OIDC_CLIENT_ID ✔️ - - OIDC Client ID
OAUTH_OIDC_CLIENT_SECRET ✔️ - - OIDC Client Secret
OAUTH_OIDC_NAME ✖️ OIDC Authelia Provider Name

Authelia Setup

Generate Client ID and Secret:

# Client ID
docker run --rm authelia/authelia:latest authelia crypto rand --length 72 --charset rfc3986
# Client Secret
docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986

- client_id: '...'
  client_name: wg-easy
  client_secret: '$pbkdf2-...'
  redirect_uris:
      - https://<your-domain>/api/auth/oidc/callback
      - https://<your-domain>/api/auth/oidc/link
  scopes:
      - openid
      - profile
      - email
  authorization_policy: one_factor
  pre_configured_consent_duration: 1 week
  require_pkce: true
  token_endpoint_auth_method: client_secret_post

Generic OAuth

TODO