wiki-security-passportjs/docs/config-oauth2.md

## Generic OAuth 2

### Login provider set-up

Like the other PassportJS login providers, we'll need a separate "OAuth2 Client"
(others call it an "app", a "product" etc.) for our Federated Wiki instance.

How to do this varies slightly for each provider.

### `config.json`

In general, you will need to specify:
* `oauth2_clientID` -- some systems generate this for you, others allow you to
    specify it
* `oauth2_clientSecret` -- secure key (keep this secret!)
* `oauth2_AuthorizationURL` and `oauth2_TokenURL` -- from your login provider's documentation

You will also need to specify a callback URL. For some providers, you can add
this when making a new "OAuth Client" for your wiki, for others you will need to
specify it with `oauth2_CallbackURL`.

You might also need to tell Federated Wiki how to look up usernames:
* `oauth2_UserInfoURL` -- from login provider's documentation
* `oauth2_IdField`, `oauth2_DisplayNameField`, `oauth2_UsernameField` -- starting with 
  * `params` for information returned in the original token request, or
  * `profile` for data returned from `oauth2_UserInfoURL`, if you provided it.

Sometimes, you'll be able to look up the URLs by visiting your provider's
`/.well-known/openid-configuration` URL in a web browser.

### Examples

#### Nextcloud

```JSON
{
  "farm": true,
  "security_type": "passportjs",
  "oauth2_clientID": "CLIENT ID",
  "oauth2_clientSecret": "CLIENT SECRET",
  "oauth2_AuthorizationURL": "https://auth.example.com/oauth2/authorize",
  "oauth2_TokenURL": "https://auth.example.com/oauth2/token",
}
```

#### Keycloak

```JSON
{
  "farm": true,
  "security_type": "passportjs",
  "oauth2_clientID": "CLIENT ID",
  "oauth2_clientSecret": "CLIENT SECRET",
  "oauth2_AuthorizationURL": "https://auth.example.com/auth/realms/Wiki.Cafe/protocol/openid-connect/auth",
  "oauth2_TokenURL": "https://auth.example.com/auth/realms/Wiki.Cafe/protocol/openid-connect/token",
  "oauth2_UserInfoURL": "https://auth.example.com/auth/realms/Wiki.Cafe/protocol/openid-connect/userinfo",
  "oauth2_UsernameField": "profile.preferred_username"
}
```
Custom callback and user profile URLs for OAuth2 For parsing `oauth2_UsernameField` values like `profile.preferred_username`, this makes use of `eval()` which is generally Evil™, but I'm assuming that anyone with permission to edit config.json likely has permission to make changes to the fedwiki source code already anyway, so it's fragile rather than increasing a security attack surface. An alternative would be using a small function to look up properties of the `params` / `profile` objects using the same dotted-path notation. 2021-10-23 14:56:08 +00:00			`## Generic OAuth 2`
Add generic OAuth support 2021-10-18 19:13:18 +00:00
Custom callback and user profile URLs for OAuth2 For parsing `oauth2_UsernameField` values like `profile.preferred_username`, this makes use of `eval()` which is generally Evil™, but I'm assuming that anyone with permission to edit config.json likely has permission to make changes to the fedwiki source code already anyway, so it's fragile rather than increasing a security attack surface. An alternative would be using a small function to look up properties of the `params` / `profile` objects using the same dotted-path notation. 2021-10-23 14:56:08 +00:00			`### Login provider set-up`

			`Like the other PassportJS login providers, we'll need a separate "OAuth2 Client"`
			`(others call it an "app", a "product" etc.) for our Federated Wiki instance.`

			`How to do this varies slightly for each provider.`

			### `config.json`

			`In general, you will need to specify:`
			* `oauth2_clientID` -- some systems generate this for you, others allow you to
			`specify it`
			* `oauth2_clientSecret` -- secure key (keep this secret!)
			* `oauth2_AuthorizationURL` and `oauth2_TokenURL` -- from your login provider's documentation

			`You will also need to specify a callback URL. For some providers, you can add`
			`this when making a new "OAuth Client" for your wiki, for others you will need to`
			specify it with `oauth2_CallbackURL`.

			`You might also need to tell Federated Wiki how to look up usernames:`
			* `oauth2_UserInfoURL` -- from login provider's documentation
replacing eval() with function using property accessors 2021-11-02 18:56:21 +00:00			* `oauth2_IdField`, `oauth2_DisplayNameField`, `oauth2_UsernameField` -- starting with
Custom callback and user profile URLs for OAuth2 For parsing `oauth2_UsernameField` values like `profile.preferred_username`, this makes use of `eval()` which is generally Evil™, but I'm assuming that anyone with permission to edit config.json likely has permission to make changes to the fedwiki source code already anyway, so it's fragile rather than increasing a security attack surface. An alternative would be using a small function to look up properties of the `params` / `profile` objects using the same dotted-path notation. 2021-10-23 14:56:08 +00:00			* `params` for information returned in the original token request, or
			* `profile` for data returned from `oauth2_UserInfoURL`, if you provided it.

			`Sometimes, you'll be able to look up the URLs by visiting your provider's`
			`/.well-known/openid-configuration` URL in a web browser.

			`### Examples`

			`#### Nextcloud`
Add generic OAuth support 2021-10-18 19:13:18 +00:00
			```JSON
			`{`
			`"farm": true,`
			`"security_type": "passportjs",`
			`"oauth2_clientID": "CLIENT ID",`
			`"oauth2_clientSecret": "CLIENT SECRET",`
			`"oauth2_AuthorizationURL": "https://auth.example.com/oauth2/authorize",`
			`"oauth2_TokenURL": "https://auth.example.com/oauth2/token",`
Custom callback and user profile URLs for OAuth2 For parsing `oauth2_UsernameField` values like `profile.preferred_username`, this makes use of `eval()` which is generally Evil™, but I'm assuming that anyone with permission to edit config.json likely has permission to make changes to the fedwiki source code already anyway, so it's fragile rather than increasing a security attack surface. An alternative would be using a small function to look up properties of the `params` / `profile` objects using the same dotted-path notation. 2021-10-23 14:56:08 +00:00			`}`
			```

			`#### Keycloak`

			```JSON
			`{`
			`"farm": true,`
			`"security_type": "passportjs",`
			`"oauth2_clientID": "CLIENT ID",`
			`"oauth2_clientSecret": "CLIENT SECRET",`
			`"oauth2_AuthorizationURL": "https://auth.example.com/auth/realms/Wiki.Cafe/protocol/openid-connect/auth",`
			`"oauth2_TokenURL": "https://auth.example.com/auth/realms/Wiki.Cafe/protocol/openid-connect/token",`
			`"oauth2_UserInfoURL": "https://auth.example.com/auth/realms/Wiki.Cafe/protocol/openid-connect/userinfo",`
			`"oauth2_UsernameField": "profile.preferred_username"`
Add generic OAuth support 2021-10-18 19:13:18 +00:00			`}`
			```