Support generic-openid provider (for Nextcloud)

2021-10-16 18:45:29 +02:00 · 2021-10-16 18:45:29 +02:00 · 1c7ed323f2
parent e924fd6a23
commit 1c7ed323f2
6 changed files with 65 additions and 12 deletions
--- a/.env.sample
+++ b/.env.sample
@ -6,8 +6,22 @@ LETS_ENCRYPT_ENV=production
 COOKIE_DOMAIN=example.com
 AUTH_HOST=auth.example.com

-OIDC_ISSUER_URL=https://id.example.com/auth/realms/yourrealm
-OIDC_CLIENT_ID=traefik-forward-auth
+SECRET_SECRET_NONCE_VERSION=v1

-SERCRET_NONCE_VERSION=v1
-OIDC_CLIENT_SECRET_VERSION=v1
+COMPOSE_FILE=compose.yml
+
+#COMPOSE_FILE=$COMPOSE_FILE:compose.oidc.yml
+#OIDC_ENABLED=1
+#OIDC_CLIENT_SECRET_VERSION=v1
+#OIDC_ISSUER_URL=https://id.example.com/auth/realms/yourrealm
+#OIDC_CLIENT_ID=traefik-forward-auth
+#SECRET_OIDC_CLIENT_SECRET_VERSION=v1
+
+#COMPOSE_FILE=$COMPOSE_FILE:compose.oauth.yml
+#OAUTH_ENABLED=1
+#OAUTH_CLIENT_SECRET_VERSION=v1
+#OAUTH_CLIENT_ID=traefik-forward-auth
+#OAUTH_USER_URL
+#OAUTH_TOKEN_URL
+#OAUTH_AUTH_URL
+#SECRET_OAUTH_CLIENT_SECRET_VERSION=v1
--- a/abra.sh
+++ b/abra.sh
@ -1 +1 @@
-export FORWARD_INI_VERSION=v1
+export FORWARD_INI_VERSION=v2
--- a/compose.oauth.yml
+++ b/compose.oauth.yml
@ -0,0 +1,18 @@
+---
+version: "3.8"
+
+services:
+  traefik-forward-auth:
+    environment:
+      - OAUTH_CLIENT_ID
+      - OAUTH_AUTH_URL
+      - OAUTH_TOKEN_URL
+      - OAUTH_USER_URL
+      - OAUTH_ENABLED
+    secrets:
+      - oauth_client_secret
+
+secrets:
+  oauth_client_secret:
+    name: ${STACK_NAME}_oauth_client_secret_${SECRET_OAUTH_CLIENT_SECRET_VERSION}
+    external: true
--- a/compose.oidc.yml
+++ b/compose.oidc.yml
@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  traefik-forward-auth:
+    environment:
+      - OIDC_CLIENT_ID
+      - OIDC_ISSUER_URL
+      - OIDC_ENABLED
+    secrets:
+      - oidc_client_secret
+
+secrets:
+  oidc_client_secret:
+    name: ${STACK_NAME}_oidc_client_secret_${OIDC_CLIENT_SECRET_VERSION}
+    external: true
--- a/compose.yml
+++ b/compose.yml
@ -11,12 +11,9 @@ services:
      - proxy
    environment:
      - CONFIG=/etc/forward.ini
-      - OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
-      - OIDC_ISSUER_URL=${OIDC_ISSUER_URL}
      - COOKIE_DOMAIN=${COOKIE_DOMAIN}
      - AUTH_HOST=${AUTH_HOST}
    secrets:
-      - oidc_client_secret
      - secret_nonce
    deploy:
      labels:
@ -40,8 +37,5 @@ configs:

 secrets:
  secret_nonce:
-    name: ${STACK_NAME}_secret_nonce_${SERCRET_NONCE_VERSION}
-    external: true
-  oidc_client_secret:
-    name: ${STACK_NAME}_oidc_client_secret_${OIDC_CLIENT_SECRET_VERSION}
+    name: ${STACK_NAME}_secret_nonce_${SECRET_SECRET_NONCE_VERSION}
    external: true
--- a/forward.ini.tmpl
+++ b/forward.ini.tmpl
@ -3,7 +3,18 @@ log-level = info
 cookie-domain = {{ env "COOKIE_DOMAIN" }}
 auth-host = {{ env "AUTH_HOST" }}

+{{ if eq (env "OIDC_ENABLED") "1" }}
 default-provider = oidc
 providers.oidc.issuer-url = {{ env "OIDC_ISSUER_URL" }}
 providers.oidc.client-id = {{ env "OIDC_CLIENT_ID" }}
 providers.oidc.client-secret = {{ secret "oidc_client_secret" }}
+{{ end }}
+
+{{ if eq (env "OAUTH_ENABLED") "1" }}
+default-provider = generic-oauth
+providers.generic-oauth.client-id = {{ env "OAUTH_CLIENT_ID" }}
+providers.generic-oauth.auth-url = {{ env "OAUTH_AUTH_URL" }}
+providers.generic-oauth.token-url = {{ env "OAUTH_TOKEN_URL" }}
+providers.generic-oauth.user-url = {{ env "OAUTH_USER_URL" }}
+providers.generic-oauth.client-secret = {{ secret "oauth_client_secret" }}
+{{ end }}