The OAuth2 Schema implements authentication based on authentication via external OAuth2/OIDC services. The chain of trust is based on the Glewlwyd's administrator trusting the OAuth2/OIDC service to authenticate Glewlwyd's users. Therefore Glewlwyd's administrator must enter only trustable external providers. It is strongly suggested to test the providers authentication with your configuration before telling your users to do so.
In the administration page, go to Parameters/Authentication schemes and add a new scheme by clicking on the + button. In the modal, enter a name and a display name (the name must be unique among all authentication scheme instances), and a scheme session expiration in seconds.
Select the type OAuth2 in the Type drop-down button.
Below is the definition of all parameters.
Name (identifier) of the scheme, must be unique among all the scheme instances, even of a different type.
Name of the instance displayed to the user.
Number of seconds to expire a valid session.
Maximum number of times a valid authentication with this scheme is possible. This is an additional parameter used to enforce the security of the session and forbid to reuse this session for other authentications.
If this option is unchecked, only administrator can register this scheme for every user via the administration page.
Callback URI that will be used in the OAuth2/OIDC flow. This option is filled by default with what is supposed to be the expected redirect URI: https://<glewlwyd_url>/callback.html. If you know what you do, you can change this value.
Duration of the session for users to authenticate in the external provider, i.e. the maximum time they can spend between their click on the login with button and when they get redirected to callback.html with a valid authentication.
Providers used for external authentication in Glewlwyd. The administrator can add a mainstream provider or a personalized provider. If you choose a mainstream providers, some settings will be filled but you must fill at least client_id and client_secret (if necessary) with your own. You can choose a mainstream provider and then change its settings if you need. The mainstream provider list is here to facilitate the administrator's job but its settings may be obsolete or not fitted to your needs. mainstream provider settings are configurable in the config.json file.
By default, Glewlwyd comes with a list of mainstream providers such as Google, Facebook or Microsoft. If you think another mainstream provider should be present on this list, feel free to send a pull request.
Below is the list of settings for a provider.
Type of the provider. Supported types are OAuth2 or OIDC (OpenID Connect).
Name of the provider. Must be unique among the provider list. This value is mandatory.
URI of the provider logo, this will be used as a graphical identity in the profile or login page. The logo must be an small image (maximum 50x50).
The Logo URI has the highest priority. If you have both Logo URI and Logo Font-Awesome for a provider, the Logo URI will be used in the Profile or Login page.
Name of the Fork Awesome icon to be used as a graphical identity in the profile or login page. Glewlwyd uses Fork Awesome 1.1.7.
For example, if you want to add the following icon to your provider, you must enter the fa-* value specified in the HTML tag:
<i class="fa fa-debian"></i> => the logo value must be fa fa-debian.
The Logo URI has the highest priority. If you have both Logo URI and Logo Fork Awesome for a provider, the Logo URI will be used in the Profile or Login page.
Client identifier as given by the provider. This value is mandatory.
Client secret (password) given by the provider. This value is mandatory or optional depending on your provider's policy.
Scope to use with the provider authentication flow. This value is mandatory or optional depending on your provider's policy. If the provider type is OIDC, the scope value will be set to openid.
OAuth2 response type to use for the authentication flow. Response types supported are code (OAuth2/OIDC provider type), token (OAuth2 provider type) or id_token (OIDC provider type).
This is the name of the property that will contain the user identifier necessary to identify it during the authentication flow.
URL of the provider's OIDC config endpoint, i.e. https://provider.tld/.well-known/openid-configuration. This setting is available for OIDC providers only.
URL of the provider's auth endpoint. This setting is mandatory if the setting Config Endpoint is not set.
URL of the provider's token endpoint. This setting is mandatory if the setting Config Endpoint is not set and the response type used is code.
URL of the provider's endpoint to fetch the user's information. This setting is mandatory of the provider type is OAuth2.
Additional parameters to pass to the auth endpoint query string