diff options
Diffstat (limited to 'docs/content/guides/auth')
| -rw-r--r-- | docs/content/guides/auth/github.md | 35 | ||||
| -rw-r--r-- | docs/content/guides/auth/gitlab-self-hosted.md | 30 | ||||
| -rw-r--r-- | docs/content/guides/auth/keycloak.md | 49 | ||||
| -rw-r--r-- | docs/content/guides/auth/ldap-ad.md | 38 | ||||
| -rw-r--r-- | docs/content/guides/auth/mattermost-self-hosted.md | 56 | ||||
| -rw-r--r-- | docs/content/guides/auth/nextcloud.md | 52 | ||||
| -rw-r--r-- | docs/content/guides/auth/oauth.md | 12 | ||||
| -rw-r--r-- | docs/content/guides/auth/saml-keycloak.md | 113 | ||||
| -rw-r--r-- | docs/content/guides/auth/saml-onelogin.md | 55 | ||||
| -rw-r--r-- | docs/content/guides/auth/saml.md | 97 | ||||
| -rw-r--r-- | docs/content/guides/auth/twitter.md | 42 |
11 files changed, 579 insertions, 0 deletions
diff --git a/docs/content/guides/auth/github.md b/docs/content/guides/auth/github.md new file mode 100644 index 00000000..f540a530 --- /dev/null +++ b/docs/content/guides/auth/github.md @@ -0,0 +1,35 @@ +# Authentication guide - GitHub + +1. Sign-in or sign-up for a GitHub account + +2. Navigate to developer settings in your GitHub account [here](https://github.com/settings/developers) and select the "OAuth Apps" tab + +3. Click on the **New OAuth App** button, to create a new OAuth App: +  + +4. Fill out the new OAuth application registration form, and click **Register Application** +  + + **Note:** *The callback URL is <your-hedgedoc-url>/auth/github/callback* + +5. After successfully registering the application, you'll receive the Client ID and Client Secret for the application +  + +6. Add the Client ID and Client Secret to your config.json file or pass them as environment variables + - `config.json`: + ```js + { + "production": { + "github": { + "clientID": "3747d30eaccXXXXXXXXX", + "clientSecret": "2a8e682948eee0c580XXXXXXXXXXXXXXXXXXXXXX" + } + } + } + ``` + + - environment variables: + ```sh + CMD_GITHUB_CLIENTID=3747d30eaccXXXXXXXXX + CMD_GITHUB_CLIENTSECRET=2a8e682948eee0c580XXXXXXXXXXXXXXXXXXXXXX + ```` diff --git a/docs/content/guides/auth/gitlab-self-hosted.md b/docs/content/guides/auth/gitlab-self-hosted.md new file mode 100644 index 00000000..fc655ac5 --- /dev/null +++ b/docs/content/guides/auth/gitlab-self-hosted.md @@ -0,0 +1,30 @@ +# GitLab (self-hosted) + +*Note:* This guide was written before the renaming. Just replace `HackMD` with `HedgeDoc` in your mind :smile: thanks! + +1. Sign in to your GitLab +2. Navigate to the application management page at `https://your.gitlab.domain/admin/applications` (admin permissions required) +3. Click **New application** to create a new application and fill out the registration form: + + + +4. Click **Submit** +5. In the list of applications select **HackMD**. Leave that site open to copy the application ID and secret in the next step. + + + +6. In the `docker-compose.yml` add the following environment variables to `app:` `environment:` + +```Dockerfile +- CMD_DOMAIN=your.hedgedoc.domain +- CMD_URL_ADDPORT=true +- CMD_PROTOCOL_USESSL=true +- CMD_GITLAB_BASEURL=https://your.gitlab.domain +- CMD_GITLAB_CLIENTID=23462a34example99XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +- CMD_GITLAB_CLIENTSECRET=5532e9dexamplXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +``` + +7. Run `docker-compose up -d` to apply your settings. +8. Sign in to your HedgeDoc using your GitLab ID: + + diff --git a/docs/content/guides/auth/keycloak.md b/docs/content/guides/auth/keycloak.md new file mode 100644 index 00000000..82f6d321 --- /dev/null +++ b/docs/content/guides/auth/keycloak.md @@ -0,0 +1,49 @@ +# OAuth with Keycloak/Red Hat SSO (self-hosted) + +## Prerequisites + +This guide assumes you have run and configured Keycloak. If you'd like to meet this prerequisite quickly, it can be achieved by running a `jboss/keycloak` container and attaching it to your network. Set the environment variables KEYCLOAK_USER and `KEYCLOAK_PASSWORD`, and expose port 8080. + +Where HTTPS is specified throughout, use HTTP instead. You may also have to specify the exposed port, 8080. + +## Steps + +1. Sign in to the administration portal for your Keycloak instance at <https://keycloak.example.com/auth/admin/master/console> + +You may note that a separate realm is specified throughout this tutorial. It is best practice not to use the master realm, as it normally contains the realm-management client that federates access using the policies and permissions you can create. + +2. Navigate to the client management page at `https://keycloak.example.com/auth/admin/master/console/#/realms/your-realm/clients` (admin permissions required) +3. Click **Create** to create a new client and fill out the registration form. You should set the Root URL to the fully qualified public URL of your HedgeDoc instance. +4. Click **Save** +5. Set the **Access Type** of the client to `confidential`. This will make your client require a client secret upon authentication. + +--- + +### Additional steps to circumvent generic OAuth2 issue + +1. Select Client Scopes from the sidebar, and begin to create a new client scope using the Create button. +2. Ensure that the **Name** field is set to `id`. +3. Create a new mapper under the Mappers tab. This should reference the User Property `id`. `Claim JSON Type` should be String and all switches below should be enabled. Save the mapper. +4. Go to the client you set up in the previous steps using the Clients page, then choose the Client Scopes tab. Apply the scope you've created. This should mitigate errors as seen in [hedgedoc/hedgedoc#56](https://github.com/hedgedoc/hedgedoc/issues/56), as the `/userinfo` endpoint should now bring back the user's ID under the `id` key as well as `sub`. + +--- + +5. In the `docker-compose.yml` add the following environment variables to `app:` `environment:` + +```Dockerfile +CMD_OAUTH2_USER_PROFILE_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/userinfo +CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username +CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name +CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email +CMD_OAUTH2_TOKEN_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/token +CMD_OAUTH2_AUTHORIZATION_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/auth +CMD_OAUTH2_CLIENT_ID=<your client ID> +CMD_OAUTH2_CLIENT_SECRET=<your client secret, which you can find under the Credentials tab for your client> +CMD_OAUTH2_PROVIDERNAME=Keycloak +CMD_DOMAIN=<hedgedoc.example.com> +CMD_PROTOCOL_USESSL=true +CMD_URL_ADDPORT=false +``` + +6. Run `docker-compose up -d` to apply your settings. +7. Sign in to your HedgeDoc using your Keycloak ID diff --git a/docs/content/guides/auth/ldap-ad.md b/docs/content/guides/auth/ldap-ad.md new file mode 100644 index 00000000..b7d0284e --- /dev/null +++ b/docs/content/guides/auth/ldap-ad.md @@ -0,0 +1,38 @@ +# AD LDAP auth + +To setup your HedgeDoc instance with Active Directory you need the following configs: + +```env +CMD_LDAP_URL=ldap://internal.example.com +CMD_LDAP_BINDDN=cn=binduser,cn=Users,dc=internal,dc=example,dc=com +CMD_LDAP_BINDCREDENTIALS=<super secret password> +CMD_LDAP_SEARCHBASE=dc=internal,dc=example,dc=com +CMD_LDAP_SEARCHFILTER=(&(objectcategory=person)(objectclass=user)(|(sAMAccountName={{username}})(mail={{username}}))) +CMD_LDAP_USERIDFIELD=sAMAccountName +CMD_LDAP_PROVIDERNAME=Example Inc AD +``` + +`CMD_LDAP_BINDDN` is either the `distinguishedName` or the `userPrincipalName`. *This can cause "username/password is invalid" when either this value or the password from `CMD_LDAP_BINDCREDENTIALS` are incorrect.* + +`CMD_LDAP_SEARCHFILTER` matches on all users and uses either the email address or the `sAMAccountName` (usually the login name you also use to login to Windows). + +*Only using `sAMAccountName` looks like this:* `(&(objectcategory=person)(objectclass=user)(sAMAccountName={{username}}))` + +`CMD_LDAP_USERIDFIELD` says we want to use `sAMAccountName` as unique identifier for the account itself. + +`CMD_LDAP_PROVIDERNAME` just the name written above the username and password field on the login page. + +Same in json: + +```json +"ldap": { + "url": "ldap://internal.example.com", + "bindDn": "cn=binduser,cn=Users,dc=internal,dc=example,dc=com", + "bindCredentials": "<super secret password>", + "searchBase": "dc=internal,dc=example,dc=com", + "searchFilter": "(&(objectcategory=person)(objectclass=user)(|(sAMAccountName={{username}})(mail={{username}})))", + "useridField": "sAMAccountName", +}, +``` + +More details and example: <https://www.npmjs.com/package/passport-ldapauth> diff --git a/docs/content/guides/auth/mattermost-self-hosted.md b/docs/content/guides/auth/mattermost-self-hosted.md new file mode 100644 index 00000000..2ad2afd7 --- /dev/null +++ b/docs/content/guides/auth/mattermost-self-hosted.md @@ -0,0 +1,56 @@ +# Authentication guide - Mattermost (self-hosted) + +**Note:** *The Mattermost setup portion of this document is just a quick guide. See the [official documentation](https://docs.mattermost.com/developer/oauth-2-0-applications.html) for more details.* + +This guide uses the generic OAuth2 module for compatibility with Mattermost version 5.0 and above. + +1. Sign-in with an administrator account to your Mattermost instance + +2. Make sure **OAuth 2.0 Service Provider** is enabled in the Main Menu (menu button next to your username in the top left corner) --> System Console --> Custom Integrations menu, which you can find at `https://your.mattermost.domain/admin_console/integrations/custom` +  + +3. Navigate to the OAuth integration settings through Main Menu --> Integrations --> OAuth 2.0 Applications, at `https://your.mattermost.domain/yourteam/integrations/oauth2-apps` + +4. Click on the **Add OAuth 2.0 Application** button to add a new OAuth application +  + +5. Fill out the form and click **Save** +  + +*Note: The callback URL is \<your-hedgedoc-url\>/auth/oauth2/callback* + +6. After saving the application, you'll receive the Client ID and Client Secret +  + +7. Add the Client ID and Client Secret to your config.json file or pass them as environment variables + - `config.json`: + ```javascript + { + "production": { + "oauth2": { + "baseURL": "https://your.mattermost.domain", + "userProfileURL": "https://your.mattermost.domain/api/v4/users/me", + "userProfileUsernameAttr": "id", + "userProfileDisplayNameAttr": "username", + "userProfileEmailAttr": "email", + "tokenURL": "https://your.mattermost.domain/oauth/access_token", + "authorizationURL": "https://your.mattermost.domain/oauth/authorize", + "clientID": "ii4p1u3jz7dXXXXXXXXXXXXXXX", + "clientSecret": "mqzzx6fydbXXXXXXXXXXXXXXXX" + } + } + } + ``` + + - environment variables: + ```sh + CMD_OAUTH2_BASEURL=https://your.mattermost.domain + CMD_OAUTH2_USER_PROFILE_URL=https://your.mattermost.domain/api/v4/users/me + CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=id + CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=username + CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email + CMD_OAUTH2_TOKEN_URL=https://your.mattermost.domain/oauth/access_token + CMD_OAUTH2_AUTHORIZATION_URL=https://your.mattermost.domain/oauth/authorize + CMD_OAUTH2_CLIENT_ID=ii4p1u3jz7dXXXXXXXXXXXXXXX + CMD_OAUTH2_CLIENT_SECRET=mqzzx6fydbXXXXXXXXXXXXXXXX + ``` diff --git a/docs/content/guides/auth/nextcloud.md b/docs/content/guides/auth/nextcloud.md new file mode 100644 index 00000000..e0eb28d1 --- /dev/null +++ b/docs/content/guides/auth/nextcloud.md @@ -0,0 +1,52 @@ +# Authentication guide - Nextcloud (self-hosted) + +*This has been constructed using the [Nextcloud OAuth2 Documentation](https://docs.nextcloud.com/server/14/admin_manual/configuration_server/oauth2.html?highlight=oauth2) combined with [this issue comment on the nextcloud bugtracker](https://github.com/nextcloud/server/issues/5694#issuecomment-314761326).* + +This guide uses the generic OAuth2 module for compatibility with Nextcloud 13 and above (this guide has been tested successfully with Nextcloud 14). + +1. Sign-in with an administrator account to your Nextcloud server + +2. Navigate to the OAuth integration settings: Profile Icon (top right) --> Settings + Then choose Security Settings from the *Administration* part of the list - Don't confuse this with Personal Security Settings, where you would change your personal password! + At the top there's OAuth 2.0-Clients. +  + +3. Add your HedgeDoc instance by giving it a *name* (perhaps HedgeDoc, but could be anything) and a *Redirection-URI*. The Redirection-URI will be `\<your-hedgedoc-url\>/auth/oauth2/callback`. Click <kbd>Add</kbd>. +  + + +4. You'll now see a line containing a *client identifier* and a *Secret*. +  + +5. That's it for Nextcloud, the rest is configured in your HedgeDoc `config.json` or via the `CMD_` environment variables! + +6. Add the Client ID and Client Secret to your `config.json` file or pass them as environment variables. Make sure you also replace `<your-nextcloud-domain>` with the right domain name. + - `config.json`: + ```javascript + { + "production": { + "oauth2": { + "clientID": "ii4p1u3jz7dXXXXXXXXXXXXXXX", + "clientSecret": "mqzzx6fydbXXXXXXXXXXXXXXXX", + "authorizationURL": "https://<your-nextcloud-domain>/apps/oauth2/authorize", + "tokenURL": "https://<your-nextcloud-domain>/apps/oauth2/api/v1/token", + "userProfileURL": "https://<your-nextcloud-domain>/ocs/v2.php/cloud/user?format=json", + "userProfileUsernameAttr": "ocs.data.id", + "userProfileDisplayNameAttr": "ocs.data.display-name", + "userProfileEmailAttr": "ocs.data.email" + } + } + } + ``` + + - environment variables: + ```sh + CMD_OAUTH2_CLIENT_ID=ii4p1u3jz7dXXXXXXXXXXXXXXX + CMD_OAUTH2_CLIENT_SECRET=mqzzx6fydbXXXXXXXXXXXXXXXX + CMD_OAUTH2_AUTHORIZATION_URL=https://<your-nextcloud-domain>/apps/oauth2/authorize + CMD_OAUTH2_TOKEN_URL=https://<your-nextcloud-domain>/apps/oauth2/api/v1/token + CMD_OAUTH2_USER_PROFILE_URL=https://<your-nextcloud-domain>/ocs/v2.php/cloud/user?format=json + CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=ocs.data.id + CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=ocs.data.display-name + CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=ocs.data.email + ``` diff --git a/docs/content/guides/auth/oauth.md b/docs/content/guides/auth/oauth.md new file mode 100644 index 00000000..de2ca20a --- /dev/null +++ b/docs/content/guides/auth/oauth.md @@ -0,0 +1,12 @@ +# OAuth general information + +| service | callback URL (after the server URL) | +| ---------- | ----------------------------------- | +| facebook | `/auth/facebook/callback` | +| twitter | `/auth/twitter/callback` | +| github | `/auth/github/callback` | +| gitlab | `/auth/gitlab/callback` | +| mattermost | `/auth/mattermost/callback` | +| dropbox | `/auth/dropbox/callback` | +| google | `/auth/google/callback` | +| saml | `/auth/saml/callback` | diff --git a/docs/content/guides/auth/saml-keycloak.md b/docs/content/guides/auth/saml-keycloak.md new file mode 100644 index 00000000..1bc3b363 --- /dev/null +++ b/docs/content/guides/auth/saml-keycloak.md @@ -0,0 +1,113 @@ +# How to setup HedgeDoc SAML with Keycloak +## Configuring Keycloak +### Get the public certificate +1. Select the Realm you want to use for your HedgeDoc SAML +2. Select "Realm Settings" in left sidebar +3. Select the "Keys" tab +4. Click the button "Certificate" at `RS256` algorithm + +5. Copy this key and save it to the file specified in `saml.idpCert` property of the HedgeDoc configuration or `CMD_SAML_IDPCERT` environment variable + +### Create a new client +1. Select "Client" in left sidebar + +2. Click on the "Create" button +3. Set a Client ID and specify this in `saml.issuer` property of the HedgeDoc configuration or `CMD_SAML_ISSUER` environment variable +4. Select `SAML` as Client Protocol +5. Set Client SAML Endpoint to `https://hedgedoc.example.com/auth/saml` (replace `https://hedgedoc.example.com` with the base URL of your HedgeDoc installation) + +6. Leave "Client Signature Required" enabled +7. Set Root URL to `https://hedgedoc.example.com` (replace it here also with the base URL of your HedgeDoc installation) +8. Set Valid Redirect URIs to `https://hedgedoc.example.com/auth/saml/callback` (you should also define all other domains of your HedgeDoc installtion with the suffix `/auth/saml/callback`) +9. Set Base URL to `/` + +10. _(optional)_ You can set which Name ID Format should be used + +## Configure HedgeDoc +### Config file +You have to put the following block inside your `config.json`: +```json +"saml": { + "issuer": "hedgedoc", // Change to the "Client ID" specified in the Keycloak Client + "identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", + "idpSsoUrl": "https://keycloak.example.org/auth/realms/test/protocol/saml", // replace keycloak.example.org with the url of your keycloak server + "idpCert": "/path/to/the/cert.pem", + "clientCert": "/path/to/the/key.pem" // this one is optional, see below +} +``` + +### Environment Variables +- `CMD_SAML_IDPSSOURL`: `https://keycloak.example.org/auth/realms/test/protocol/saml` (replace keycloak.example.org with the url of your keycloak server) +- `CMD_SAML_IDPCERT`: `/path/to/the/cert.pem` +- *(optional, see below)* `CMD_SAML_CLIENTCERT`: `/path/to/the/key.pem` +- `CMD_SAML_ISSUER`: `hedgedoc` (Change to the "Client ID" specified in the Keycloak Client) +- `CMD_SAML_IDENTIFIERFORMAT`: `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` + + +## Client certificate *(optional)* +If you want keycloak to be able to verify HedgeDoc, you hava to create a client certificate. There are two options for this: + +### Create Private Keys for Signing +1. Generate the private key and certificate with the following commands: +```shell +openssl genrsa -out priv.pem 2048 +openssl req -new -x509 -key priv.pem -out cert.pem +``` +*execute the following steps in keycloak* + +2. Select "Client" in left sidebar +3. Go to your HedgeDoc-Client +4. Select the "SAML Keys" tab + +5. Click on "Import" +6. Select `Certificate PEM` as "Archive Format" +7. Now upload the generated cert.pem (in this case named `cert.pem`) + +8. Click on "Import" +9. Move or copy this key (in this case named `key.pem`) and save it to the file specified in `saml.clientCert` property of the HedgeDoc configuration or in the enviroment-variable `CMD_SAML_CLIENTCERT` + + +### Convert Private Certificate generated by KeyCloak +Instead if generating you own certificate, you can also use the one generated by keycloak. + +1. Select "Client" in left sidebar +2. Go to your HedgeDoc-Client +3. Select the "SAML Keys" tab + + +5. Now click on "Export" +6. Here you can select the output format, choose `PKCS12`. You also have to set a password. Choose your own. + +6. Click on "Download" and save the file somewhere on you computer +7. You now have to extract the private Key. You can do this with the following command. WHen asked, enter your password. +```shell +openssl pkcs12 -in keystore.p12 -out key.pem -nocerts -nodes +``` +8. Move or copy this key (in this case named `key.pem`) and save it to the file specified in `saml.idpCert` property of the HedgeDoc configuration or in the enviroment-variable `CMD_SAML_CLIENTCERT` + +## Use Persistent Identifiers +Instead of using the username as the owner-key in the HedgeDoc database, you can also use a persistent identifier. This allows to change the username, without them loosing access to their notes. + +1. Go to the HedgeDoc-Client in keycloak. Now enable the option "Force Name ID Format" and select "persistent" as the "Name ID Format". + +2. For HedgeDoc to be able to use the username and email configured in keycloak, you have to create the following SAML protocol mappers: + 2.1. Create a mapper with the type `User Property`. Set the Name, Property and SAML Attribute Name to `username`. Now you can specify a friendly name (for example `Username`) + + 2.2 Create a mapper with the type `User Property`. Set the Name, Property and SAML Attribute Name to `email`. Now you can specify a friendly name (for example `E-Mail`) + + +The configured mappers should look like this: + + +3. You now have to add the following block to the saml-definition inside your `config.json`: +```json +"attribute": { + "username": "username" + "email": "email", +} +``` +It you configure HedgeDoc with enviroment variables, these are the ones you have to set: +```bash +CMD_SAML_ATTRIBUTE_USERNAME=username +CMD_SAML_ATTRIBUTE_EMAIL=email +``` diff --git a/docs/content/guides/auth/saml-onelogin.md b/docs/content/guides/auth/saml-onelogin.md new file mode 100644 index 00000000..8b897c82 --- /dev/null +++ b/docs/content/guides/auth/saml-onelogin.md @@ -0,0 +1,55 @@ +# Authentication guide - SAML (OneLogin) + +**Note:** *This guide was written before the renaming. Just replace `HackMD` with `HedgeDoc` in your mind :smile: thanks!* + +1. Sign-in or sign-up for an OneLogin account. (available free trial for 2 weeks) + +2. Go to the administration page. + +3. Select the **APPS** menu and click on the **Add Apps**. +  + +4. Find "SAML Test Connector (SP)" for template of settings and select it. +  + +5. Edit display name and icons for OneLogin dashboard as you want, and click **SAVE**. +  + +6. After that other tabs will appear, click the **Configuration**, and fill out the below items, and click **SAVE**. + - RelayState: The base URL of your HedgeDoc, which is issuer. (last slash is not needed) + + - ACS (Consumer) URL Validator: The callback URL of your HedgeDoc. (serverurl + /auth/saml/callback) + + - ACS (Consumer) URL: same as above. + + - Login URL: login URL(SAML requester) of your CopiMD. (serverurl + /auth/saml) +  + +7. The registration is completed. Next, click **SSO** and copy or download the items below. + - X.509 Certificate: Click **View Details** and **DOWNLOAD** or copy the content of certificate ....(A) + + - SAML 2.0 Endpoint (HTTP): Copy the URL ....(B) +  + +8. In your HedgeDoc server, create IdP certificate file from (A) +9. Add the IdP URL (B) and the Idp certificate file path to your config.json file or pass them as environment variables. + - `config.json`: + ```javascript + { + "production": { + "saml": { + "idpSsoUrl": "https://*******.onelogin.com/trust/saml2/http-post/sso/******", + "idpCert": "/path/to/idp_cert.pem" + } + } + } + ``` + + - environment variables + ```sh + CMD_SAML_IDPSSOURL=https://*******.onelogin.com/trust/saml2/http-post/sso/****** + CMD_SAML_IDPCERT=/path/to/idp_cert.pem + ``` + +10. Try sign-in with SAML from your HedgeDoc sign-in button or OneLogin dashboard (like the screenshot below). +  diff --git a/docs/content/guides/auth/saml.md b/docs/content/guides/auth/saml.md new file mode 100644 index 00000000..58a2ae45 --- /dev/null +++ b/docs/content/guides/auth/saml.md @@ -0,0 +1,97 @@ +# Authentication guide - SAML + +*Note:* This guide was written before the renaming. Just replace `HackMD` with `HedgeDoc` in your mind :smile: thanks! + +The basic procedure is the same as the case of OneLogin which is mentioned in [OneLogin-Guide](./saml-onelogin.md). If you want to match your IdP, you can use more configurations as below. + +- If your IdP accepts metadata XML of the service provider to ease configuration, use this url to download metadata XML. + - {{your-serverurl}}/auth/saml/metadata + - *Note:* If not accessible from IdP, download to local once and upload to IdP. + +- Change the value of `issuer`, `identifierFormat` to match your IdP. + - `issuer`: A unique id to identify the application to the IdP, which is the base URL of your HedgeDoc as default + + - `identifierFormat`: A format of unique id to identify the user of IdP, which is the format based on email address as default. It is recommend that you use as below. + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (default) + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + + - `config.json`: + ```javascript + { + "production": { + "saml": { + /* omitted */ + "issuer": "myhedgedoc" + "identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" + } + } + } + ``` + + - environment variables + ```env + CMD_SAML_ISSUER=myhedgedoc + CMD_SAML_IDENTIFIERFORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + ``` + +- Change mapping of attribute names to customize the displaying user name and email address to match your IdP. + - `attribute`: A dictionary to map attribute names + + - `attribute.id`: A primary key of user table for your HedgeDoc + + - `attribute.username`: Attribute name of displaying user name on HedgeDoc + + - `attribute.email`: Attribute name of email address, which will be also used for Gravatar + - *Note:* Default value of all attributes is NameID of SAML response, which is email address if `identifierFormat` is default. + + - `config.json`: + ```javascript + { + "production": { + "saml": { + /* omitted */ + "attribute": { + "id": "sAMAccountName", + "username": "displayName", + "email": "mail" + } + } + } + } + ``` + + - environment variables + ```sh + CMD_SAML_ATTRIBUTE_ID=sAMAccountName + CMD_SAML_ATTRIBUTE_USERNAME=nickName + CMD_SAML_ATTRIBUTE_EMAIL=mail + ``` + +- If you want to control permission by group membership, add group attribute name and required group (allowed) or external group (not allowed). + - `groupAttribute`: An attribute name of group membership + + - `requiredGroups`: Group names array for allowed access to HedgeDoc. Use vertical bar to separate for environment variables. + + - `externalGroups`: Group names array for not allowed access to HedgeDoc. Use vertical bar to separate for environment variables. + - *Note:* Evaluates `externalGroups` first + + - `config.json`: + ```javascript + { + "production": { + "saml": { + /* omitted */ + "groupAttribute": "memberOf", + "requiredGroups": [ "hedgedoc-users", "board-members" ], + "externalGroups": [ "temporary-staff" ] + } + } + } + ``` + + - environment variables + ```sh + CMD_SAML_GROUPATTRIBUTE=memberOf + CMD_SAML_REQUIREDGROUPS=hedgedoc-users|board-members + CMD_SAML_EXTERNALGROUPS=temporary-staff + ``` diff --git a/docs/content/guides/auth/twitter.md b/docs/content/guides/auth/twitter.md new file mode 100644 index 00000000..cbb8c865 --- /dev/null +++ b/docs/content/guides/auth/twitter.md @@ -0,0 +1,42 @@ +# Authentication guide - Twitter + +*Note:* This guide was written before the renaming. Just replace `HackMD` with `HedgeDoc` in your mind :smile: thanks! + +1. Sign-in or sign-up for a Twitter account + +2. Go to the Twitter Application management page [here](https://apps.twitter.com/) + +3. Click on the **Create New App** button to create a new Twitter app: +  + +4. Fill out the create application form, check the developer agreement box, and click **Create Your Twitter Application** +  + + *Note:* you may have to register your phone number with Twitter to create a Twitter application + + To do this Click your profile icon --> Settings and privacy --> Mobile --> Select Country/region --> Enter phone number --> Click Continue + +5. After you receive confirmation that the Twitter application was created, click **Keys and Access Tokens** +  + +6. Obtain your Twitter Consumer Key and Consumer Secret +  + +7. Add your Consumer Key and Consumer Secret to your `config.json` file or pass them as environment variables: + - `config.json`: + ```javascript + { + "production": { + "twitter": { + "consumerKey": "esTCJFXXXXXXXXXXXXXXXXXXX", + "consumerSecret": "zpCs4tU86pRVXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + } + } + } + ``` + + - environment variables: + ```sh + CMD_TWITTER_CONSUMERKEY=esTCJFXXXXXXXXXXXXXXXXXXX + CMD_TWITTER_CONSUMERSECRET=zpCs4tU86pRVXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + ``` |