This module provides a simple way to add a SSO auto login for webtrees in combination with a authentication proxy (like oauth2-proxy).
Requires webtrees 2.0.
If you are using git
, you could also clone the current main branch directly into your modules_v4
directory
by calling:
git clone https://github.com/fanningert/webtrees_simpleautologin.git modules_v4/webtrees_simpleautologin
To manually install the module, perform the following steps:
modules_v4
directory.webtrees_simpleautologin
trusted_header_authenticated_user
to the config.ini.php
of webtreesKnown server parameter:
Example: trusted_header_authenticated_user="REMOTE_USER";
Alternatively, you can unload the module by renaming modules_v4/webtrees_simpleautologin/
to modules_v4/webtrees_simpleautologin.disable/
It is safe to delete the webtrees_simpleautologin
directory at any time.
In my installation, I have Caddy as a first line reverse proxy. Behind this is a authentication proxy (oauth2-proxy) for the oauth authentication with keycloak.
caddy -> oauth2-proxy -> webtrees
|
v
Keycloak
webtrees.example.com {
reverse_proxy <oauth-proxy: https://x.x.x.x:port> {
transport http {
tls_insecure_skip_verify
}
}
}
I am running oauth2-proxy as container (podman).
podman create --name "oauthproxy_core" --pod "oauthproxy" \
-v "/etc/localtime:/etc/localtime:ro" \
quay.io/oauth2-proxy/oauth2-proxy \
--provider=oidc \
--provider-display-name="Keycloak" \
--client-id="app_webtrees" \
--client-secret="<client-secret>" \
--email-domain=* \
--oidc-issuer-url="http(s)://<keycloak host>/auth/realms/<realm>" \
--login-url="http(s)://<keycloak host>/auth/realms/<realm>/protocol/openid-connect/auth" \
--redeem-url="http(s)://<keycloak host>/auth/realms/<realm>/protocol/openid-connect/token" \
--validate-url="http(s)://<keycloak host>/auth/realms/<realm>/protocol/openid-connect/userinfo" \
--allowed-group="<allowed_user_group>" \
--whitelist-domain="<.example.com>" \
--cookie-domain="<webtrees.example.com>" \
--cookie-secure=true \
--cookie-secret="${COOKIE_SECRET}" \
--scope="openid profile email roles" \
--http-address="127.0.0.1:4180" \
--upstream="<webtrees url>" \
--ssl-upstream-insecure-skip-verify="true" \
--reverse-proxy="true" \
--insecure-oidc-allow-unverified-email=true \
--skip-provider-button=true
More information can be find here.