Merge pull request 'authentik-support' (#3) from authentik-support into main

Reviewed-on: #3 Reviewed-by: yksflip <flip@yksflip.de>
2025-05-09 20:31:54 +00:00 · 2025-05-09 20:31:54 +00:00 · 58115d9628
commit 58115d9628
parent 35767ce472 603b233823
7 changed files with 107 additions and 7 deletions
--- a/.env.sample
+++ b/.env.sample
@ -1,6 +1,6 @@
 TYPE=civicrm-wordpress

-DOMAIN=civicrm.example.com
+DOMAIN=civicrm-wordpress.example.com

 ## Domain aliases
 #EXTRA_DOMAINS=', `www.civicrm.example.com`'
@ -37,3 +37,20 @@ SECRET_CIVICRM_SITE_KEY_VERSION=v1 # length=16
 SECRET_CIVICRM_CRED_KEY_VERSION=v1 # length=43
 SECRET_CIVICRM_SIGN_KEY_VERSION=v1 # length=43
 SECRET_WORDPRESS_ADMIN_PASSWORD_VERSION=v1
+
+## -- OpenId Connect --
+
+#COMPOSE_FILE="compose.yml:compose.openidconnect.yml"
+#OPEN_ID_CLIENT_ID=
+#SECRET_OPEN_ID_CLIENT_SECRET_VERSION=v1
+
+# If you are using authentik, just set this
+#AUTHENTIK_DOMAIN=authentik.company
+
+# Otherwise, you must set all of these
+#OPEN_ID_PROVIDER_LOGIN_URL=https://authentik.company/application/o/authorize/
+#OPEN_ID_USERINFO_URL=https://authentik.company/application/o/userinfo/
+#OPEN_ID_TOKEN_ENDPOINT_URL=https://authentik.company/application/o/token/
+#OPEN_ID_END_SESSION_URL=https://authentik.company/application/o/wordpress/end-session/
+
+## -- OpenId Connect --
--- a/README.md
+++ b/README.md
@ -19,16 +19,19 @@
 * `abra app new civicrm-wordpress`
 * `abra app config <app-name>`

-Generate secrets (be sure to save them):
-* `abra app secret g <app-name> db_root_password v1`
-* `abra app secret g <app-name> db_password v1`
-* `abra app secret g <app-name> civicrm_site_key v1`
-* `abra app secret g <app-name> civicrm_cred_key v1`
-* `abra app secret g <app-name> civicrm_sign_key v1`
+Authentik integration:
+* When configuring, uncomment `COMPOSE_FILE`, `OPEN_ID_CLIENT_ID`, `SECRET_OPEN_ID_CLIENT_SECRET_VERSION`, and `AUTHENTIK_DOMAIN`
+* To configure your Authentik deployment, follow the guide at [`docs.goauthentik.io/integrations/services/wordpress`](https://docs.goauthentik.io/integrations/services/wordpress/).
+* NOTE: at the time of writing the Authentik integration guide incorrectly says to set the redirect URI to `https://wp.company/admin-ajax.php?action=openid-connect-authorize` when it should be `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`
+* If using a different OpenID provider, leave `AUTHENTIK_DOMAIN` commented and uncomment the other OpenID configuration options

 Insert secrets:
 * `abra app secret i <app-name> wordpress_admin_password v1 '<temp account password>'`
 * `abra app secret i <app-name> smtp_password v1 '<smtp password>'`
+* (Authentik) `abra app secret i <app-name> openid_client_secret v1 <openid client secret>`
+
+Generate secrets (be sure to save them):
+* `abra app secret g -a <app-name>`

 Deploy app:
 * `abra app deploy <app-name>`
--- a/abra.sh
+++ b/abra.sh
@ -31,6 +31,7 @@ file_env "SMTP_PASSWORD"
 export APACHE_SITES_AVAILABLE_CONF_VERSION=v1
 export CIVICRM_SETTINGS_PHP_VERSION=v1
 export ENTRYPOINT_VERSION=v1
+export OPENID_SETTINGS_VERSION=v1

 change_password(){
    echo "Changing password for $1"
--- a/compose.openidconnect.yml
+++ b/compose.openidconnect.yml
@ -0,0 +1,14 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - OPEN_ID_CLIENT_SECRET_FILE=/run/secrets/openid_client_secret
+    secrets:
+      - openid_client_secret
+
+secrets:
+  openid_client_secret:
+    external: true
+    name: ${STACK_NAME}_openid_client_secret_${SECRET_OPEN_ID_CLIENT_SECRET_VERSION}
--- a/compose.yml
+++ b/compose.yml
@ -45,6 +45,8 @@ services:
        mode: 555
      - source: civicrm-settings-php
        target: /usr/local/etc/civicrm/civicrm.settings.php
+      - source: openid-settings
+        target: /usr/local/etc/civicrm/openid_settings.json
    entrypoint: /usr/local/bin/entrypoint.sh
    deploy:
      restart_policy:
@ -139,6 +141,10 @@ configs:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
    file: entrypoint.sh
    template_driver: golang
+  openid-settings:
+    name: ${STACK_NAME}_openid_settings_${OPENID_SETTINGS_VERSION}
+    file: openid_settings.json
+    template_driver: golang

 secrets:
  db_root_password:
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -29,6 +29,7 @@ file_env "CIVICRM_SITE_KEY"
 file_env "CIVICRM_CRED_KEYS"
 file_env "SMTP_PASSWORD"
 file_env "WORDPRESS_ADMIN_PASSWORD"
+file_env "OPEN_ID_CLIENT_SECRET"

 if  [[  "${1-default}" == "cron" ]]; then
  echo "============ Running cron job ============"
@ -88,6 +89,35 @@ pushd /var/www/html/wp-content/uploads/civicrm/
  fi
 popd

+if  [[ -n "${OPEN_ID_CLIENT_ID}" ]]; then
+  # install OpenID Connect Generic plugin
+  if ! su civicrm -c "wp plugin is-installed daggerhart-openid-connect-generic"; then
+    echo "============ Running OpenId Connect Install ============"
+    su civicrm -c "wp plugin install daggerhart-openid-connect-generic --activate"
+  fi
+
+  # if openid connect hasn't been configured, insert default settings
+  if ! su civicrm -c "wp option get openid_connect_generic_settings"; then
+    su civicrm -c "wp option add openid_connect_generic_settings --format=json < /usr/local/etc/civicrm/openid_settings.json"
+  fi
+
+  echo "============ Configuring OpenId Connect ============"
+  su civicrm -c "wp option patch update openid_connect_generic_settings client_id $OPEN_ID_CLIENT_ID"
+  su civicrm -c "wp option patch update openid_connect_generic_settings client_secret $OPEN_ID_CLIENT_SECRET"
+
+  if  [[ -n "${AUTHENTIK_DOMAIN}" ]]; then
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_login https://$AUTHENTIK_DOMAIN/application/o/authorize/"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_userinfo https://$AUTHENTIK_DOMAIN/application/o/userinfo/"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_token https://$AUTHENTIK_DOMAIN/application/o/token/"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_end_session https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/"
+  else
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_login $OPEN_ID_PROVIDER_LOGIN_URL"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_userinfo $OPEN_ID_USERINFO_URL"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_token $OPEN_ID_TOKEN_ENDPOINT_URL"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_end_session $OPEN_ID_END_SESSION_URL"
+  fi
+fi
+
 echo "============ Setting up cron ============"
 printenv > /etc/environment
 apt update && apt install -y cron
--- a/openid_settings.json
+++ b/openid_settings.json
@ -0,0 +1,29 @@
+
+{
+    "login_type":"button",
+    "client_id":"",
+    "client_secret":"",
+    "scope":"email profile openid offline_access",
+    "endpoint_login":"",
+    "endpoint_userinfo":"",
+    "endpoint_token":"",
+    "endpoint_end_session":"",
+    "acr_values":"",
+    "identity_key":"preferred_username",
+    "no_sslverify":"0",
+    "http_request_timeout":"5",
+    "enforce_privacy":"0",
+    "alternate_redirect_uri":"0",
+    "nickname_key":"preferred_username",
+    "email_format":"{email}",
+    "displayname_format":"",
+    "identify_with_username":"0",
+    "state_time_limit":"180",
+    "token_refresh_enable":"1",
+    "link_existing_users":"0",
+    "create_if_does_not_exist":"1",
+    "redirect_user_back":"0",
+    "redirect_on_logout":"1",
+    "enable_logging":"0",
+    "log_limit":"1000"
+}