Skip to content
This repository has been archived by the owner on Sep 20, 2023. It is now read-only.

Commit

Permalink
#199 fix oauth2
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeromeleonard
jeromeleonard committed Oct 29, 2020
1 parent f211f84 commit 129fab0
Showing 1 changed file with 30 additions and 22 deletions.
52 changes: 30 additions & 22 deletions admin/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -301,29 +301,37 @@ To enable authentication using OAuth2/OpenID Connect, edit the `application.conf

##### Important notes

To have the OAuth2 functionnality working, you need to provide the granted code after the `#!/login` in the URL. Thus, the redirect URI has to be:
```
https://my-hive-instance.com/index.html#!/login
```
If your identity provider doesn't support `#!` in the redirect URI, you can make a redirection using a reverse proxy. Please find bellow an example config using Apache httpd:
```
Redirect "/redirect_uri" "/index.html#!/login"
ProxyPass "/redirect_uri" !
ProxyPass "/" "http://localhost:9000/"
ProxyPassReverse "/" "http://localhost:9000/"
```
Authenticate the user using an external OAuth2 authenticator server. The configuration is:

- clientId (string) client ID in the OAuth2 server.
- clientSecret (string) client secret in the OAuth2 server.
- redirectUri (string) the url of TheHive AOuth2 page (.../api/ssoLogin).
- responseType (string) type of the response. Currently only "code" is accepted.
- grantType (string) type of the grant. Currently only "authorization_code" is accepted.
- authorizationUrl (string) the url of the OAuth2 server.
- authorizationHeader (string) prefix of the authorization header to get user info: Bearer, token, ...
- tokenUrl (string) the token url of the OAuth2 server.
- userUrl (string) the url to get user information in OAuth2 server.
- scope (list of string) list of scope.



Example:

oauth2 {
name: oauth2
clientId: "client-id"
clientSecret: "client-secret"
redirectUri: "http://localhost:9000/api/ssoLogin"
responseType: code
grantType: "authorization_code"
authorizationUrl: "https://github.com/login/oauth/authorize"
authorizationHeader: "token"
tokenUrl: "https://github.com/login/oauth/access_token"
userUrl: "https://api.github.com/user"
scope: ["user"]
}

In addition, you need to configure your token endpoint (`auth.oauth2.tokenUrl`) to accept requests without HTTP basic auth because TheHive doesn't support it. The request performed by TheHive to this endpoint will follow this format:
```
##Header
"Content-type":"application/x-www-form-urlencoded"
##Body
"grant_type":"authorization_code"
"client_id":"thehive"
"client_secret":"thehivesecret"
"redirect_uri":"https://my-hive-instance.com/index.html"
"code":"returned_code_in_the_url_by_the_hive"
```

#### 3.2.1. Roles mappings
You can choose a roles mapping with the `auth.sso.mapper` parameter. The available options are `simple` and `group`:
Expand Down

0 comments on commit 129fab0

Please sign in to comment.