mirror
/
wg-easy
mirror of https://github.com/wg-easy/wg-easy
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1416 Commits
5 Branches
28 Tags
18 MiB
 
 
 
 
 
Tree: c4524fbd44
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c4524fbd44'
${ noResults }
wg-easy/docs/content/advanced/config/external-authentication.md

3.3 KiB
Raw Blame History

title
External Authentication

OAuth

Providers

To enable OAuth set the env var OAUTH_PROVIDERS to any of the following providers:

Provider Value
Google google
GitHub github
Generic OIDC oidc

You can enable multiple providers by separating them with a comma:

e.g. google,github

Google

Env Required Example Description
OAUTH_GOOGLE_CLIENT_ID ✔️ 123.apps.googleusercontent.com Google Client ID
OAUTH_GOOGLE_CLIENT_SECRET ✔️ GOCSPX-xxx Google Client Secret
OAUTH_GOOGLE_ALLOWED_DOMAIN ✖️ example.com Restrict login to a specific email domain

Setup

  1. Go to Google Cloud Console
  2. Create an OAuth 2.0 Client ID (Web application)
  3. Add Authorized redirect URI: https://<your-domain>/api/auth/google/callback
  4. Copy the Client ID and Client Secret to the environment variables

GitHub

Env Required Example Description
OAUTH_GITHUB_CLIENT_ID ✔️ xxx GitHub Client ID
OAUTH_GITHUB_CLIENT_SECRET ✔️ xxx GitHub Client Secret

Generic OIDC

This supports generic OIDC providers like Authelia, Authentik, etc.

The provider needs to support:

  • PKCE
  • default scopes: openid email profile
  • Valid HTTPS
  • Client Secret Authentication client_secret_post
Env Required Default Example Description
OAUTH_OIDC_SERVER ✔️ - https://auth.example.com OIDC Server
OAUTH_OIDC_CLIENT_ID ✔️ - xxx OIDC Client ID
OAUTH_OIDC_CLIENT_SECRET ✔️ - xxx OIDC Client Secret
OAUTH_OIDC_NAME ✖️ OIDC Authelia Provider Name

Authelia Setup

Generate Client ID and Secret:

# Client ID
docker run --rm authelia/authelia:latest authelia crypto rand --length 72 --charset rfc3986
# Client Secret
docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986

- client_id: '...'
  client_name: wg-easy
  client_secret: '$pbkdf2-...'
  redirect_uris:
      - https://<your-domain>/api/auth/oidc/callback
  scopes:
      - openid
      - profile
      - email
  authorization_policy: one_factor
  pre_configured_consent_duration: 1 week
  require_pkce: true
  token_endpoint_auth_method: client_secret_post

Generic OAuth

TODO