That would be nice if you could document this setup. We could publish it on the medium blog / help pages.
Sure. I was mistaken when I said “reverse proxy”, I was thinking of a different application. For passbolt, I just configured mod_auth_openidc
on the Apache server where passbolt itself was running under mod_php
.
For GSuite, add to the config (either globally or within a vhost):
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID XXXXXX.apps.googleusercontent.com
OIDCClientSecret XXXXXXX
OIDCRedirectURI https://passbolt.example.com/oauth2callback
OIDCCryptoPassphrase XXXXXXXRANDOMXXXXXXX
OIDCScope "openid email"
OIDCSessionInactivityTimeout 3600
<Location />
AuthType openid-connect
Require claim hd:example.com
</Location>
To get the client ID and secret: in the Google API console https://console.developers.google.com/ create a new project, then create credentials for “OAuth client ID”. This requires creating a “consent screen”, followed by application type (Web application), with this authorised origin(s):
and redirect URI(s)
after which you’ll get the client ID and secret.
Something similar is possible with Office365: the config below is based on something I set up a year ago but is not recently tested by me.
OIDCProviderMetadataURL https://login.microsoftonline.com/<tenant-UUID>/v2.0/.well-known/openid-configuration
OIDCClientID XXXXXXXX
OIDCClientSecret XXXXXXXX
OIDCRedirectURI https://passbolt.example.com/redirect_uri
OIDCCryptoPassphrase XXXXXXXRANDOMXXXXXXX
OIDCCookiePath /
#OIDCSessionMaxDuration 28800
#OIDCSessionInactivityTimeout 300
OIDCResponseType id_token
OIDCResponseMode form_post
OIDCScope "openid email profile"
# Note: as at 21/10/2016, the "email" claim doesn't work.
# However we do get OIDC_CLAIM_preferred_username=user@example.com
# It is possible that email will start to work soon:
# https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-preview-oidc-changes/
<Location "/">
AuthType openid-connect
Require valid-user
</Location>
Being Microsoft, they have two separate and incompatible ways of doing it:
There was some other subtle difference between registering the app in those two places, which I can’t remember off-hand.
Finally, for Salesforce:
OIDCProviderMetadataURL https://eu1.salesforce.com/.well-known/openid-configuration
OIDCClientID <consumer-key>
OIDCClientSecret <consumer-secret>
OIDCCryptoPassphrase <any-long-random-string>
OIDCRedirectURI https://passbolt.example.com/redirect_uri
OIDCCookiePath /
OIDCSessionInactivityTimeout 3600
OIDCResponseType code
OIDCProviderTokenEndpointAuth client_secret_post
OIDCScope "openid email"
<Location "/">
AuthType openid-connect
Require claim organization_id:00Dxxxxxxxxxxxxxxx
</Location>
The Salesforce setup instructions are at Create a Connected App for ScreenSteps in Salesforce | Salesforce and ScreenSteps | ScreenSteps
Setup > Create > Apps > Connected Apps [lower down the page] > New
- Connected App Name: [any name]
- API Name: [name - spaces not allowed]
- Contact Email: [your email]
- Enable OAuth settings:
[X]
checked
- Callback URL: https://passbolt.example.com/redirect_uri
- Selected OAuth Scopes: “Access your basic information (id, profile, email, address, phone)” and “Allow access to your unique identifier (openid)”.
- Start URL: https://passbolt.example.com/
All examples above are intended to limit you to just accounts within a particular domain: in GSuite and Salesforce explicitly by checking the “hd” or “organization_id” claims, and in Office365 implicitly by using a particular directory “tenant”. But I strongly suggest you verify for yourself that you’re not letting in other GMail / Office365 / Salesforce accounts.