add compose.oauth.yml file

.drone.yml

@@ -22,6 +22,7 @@ steps:
       SECRET_SECRET_COOKIE_TOKEN_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_SMTP_PASSWORD_VERSION: v1
+      SECRET_OAUTH_APP_SECRET_VERSION: v1
 trigger:
   branch:
     - main

.env.sample

@@ -92,16 +92,14 @@ SECRET_DB_PASSWORD_VERSION=v1
 # THEME_TEXT_ON_ACCENT_COLOR=rgb(255,255,255)
 
 # env variables needed to enable OAuth2 authentication  
+# COMPOSE_FILE="$COMPOSE_FILE:compose.oauth.yml"
 # OAUTH_AUTH_URL=
 # OAUTH_TOKEN_URL=
 # OAUTH_PROFILE_URL=
 # OAUTH_SCOPE=
 # OAUTH_APP_KEY=
-
-# This is not a good practice, app secret should passed in via docker secret once support is added (https://github.com/loomio/loomio/issues/11671)
-# Remove this variable before publishing code to any shared repo!   
-# OAUTH_APP_SECRET= 
 # OAUTH_ATTR_UID=
 # OAUTH_ATTR_NAME=
 # OAUTH_ATTR_EMAIL=
 # OAUTH_LOGIN_PROVIDER_NAME=
+# SECRET_OAUTH_APP_SECRET_VERSION=v1

compose.oauth.yml

@@ -0,0 +1,25 @@
+version: "3.8"
+
+x-oauth-env: &oauth-env
+  OAUTH_AUTH_URL:
+  OAUTH_TOKEN_URL:
+  OAUTH_PROFILE_URL:
+  OAUTH_SCOPE:
+  OAUTH_APP_KEY:
+  OAUTH_APP_SECRET_FILE: /run/secrets/oauth_app_secret
+  OAUTH_ATTR_UID:
+  OAUTH_ATTR_NAME:
+  OAUTH_ATTR_EMAIL:
+  OAUTH_LOGIN_PROVIDER_NAME:
+
+services:
+  app:
+    environment: 
+      *oauth-env
+    secrets:
+      - oauth_app_secret
+
+secrets:
+  oauth_app_secret:
+    name: ${STACK_NAME}_oauth_app_secret_${SECRET_OAUTH_APP_SECRET_VERSION}
+    external: true

compose.yml

@@ -29,16 +29,6 @@ x-environment: &default-env
   SAML_IDP_METADATA_URL:
   SAML_ISSUER:
   FEATURES_DISABLE_EMAIL_LOGIN:
-  OAUTH_AUTH_URL:
-  OAUTH_TOKEN_URL:
-  OAUTH_PROFILE_URL:
-  OAUTH_SCOPE:
-  OAUTH_APP_KEY:
-  OAUTH_APP_SECRET:
-  OAUTH_ATTR_UID:
-  OAUTH_ATTR_NAME:
-  OAUTH_ATTR_EMAIL:
-  OAUTH_LOGIN_PROVIDER_NAME:
 
 services:
   app:

entrypoint.sh

@@ -25,6 +25,7 @@ file_env "DEVISE_SECRET"
 file_env "SECRET_COOKIE_TOKEN"
 file_env "POSTGRES_PASSWORD"
 file_env "SMTP_PASSWORD"
+file_env "OAUTH_APP_SECRET"
 export DB_HOST="db"
 export DATABASE_URL="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db/${POSTGRES_DB}"
 

release/5.1.0+v3.0.0

@@ -0,0 +1,2 @@
+Add support for OAuth2. To use this feature copy and populate the new oauth2 env variables from the .env.sample to your locale .env config and insert the oauth2_app_secret secret into your recipe:
+abra app secret insert <domain> oauth_app_secret v1 <your oauth2 client secret>