search

sipcapture / homer-app

HOMER 7.x Front-End and API Server
http://sipcapture.io
GNU Affero General Public License v3.0
204 stars 79 forks source link

Add support for SAML or oauth2 SSO #440

Closed sudomoke closed 2 years ago

sudomoke commented 2 years ago

Hopefully this is the correct place to register a feature request.

I would like to see SAML or oauth2 based SSO added to the homer7 products. The current available solution (ldap) is less desirable than being able to use Google or AzureAD as an idp.

github-actions[bot] commented 2 years ago

Your report is appreciated. Please star this repository to motivate its developers! :star:

adubovikov commented 2 years ago

it's in our roadmap

adubovikov commented 2 years ago

@Moke the version 1.4.23 has oAuth2 support

here is the an example for google:

"oauth2": {
    "enable": false,
    "client_id": "1234565",
    "client_secret": "FAKE",
    "project_id": "Homer OAuth",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url":  "https://www.googleapis.com/oauth2/v1/certs",
    "redirect_uri": "http://localhost:80/api/v3/oauth2/auth",
    "service_redirect": "/api/v3/oauth2/redirect",
    "profile_url": "https://www.googleapis.com/oauth2/v1/userinfo",
    "provider_name": "google",
    "scope": ["email", "openid", "profile"],
    "provider_image": ""
  },
sudomoke commented 2 years ago

I am working on adapting your example to work with AzureAD.

zpnielsen commented 2 years ago

And I'm watching him do it :)

sudomoke commented 2 years ago

Doesn't look like im able to get it working. Here's the configuration.

 "oauth2": {
    "enable": true,
    "client_id": "********",
    "client_secret": "**",
    "project_id": "Homer OAuth",
    "auth_uri": "https://login.microsoftonline.com/***/oauth2/v2.0/authorize",
    "token_uri": "https://login.microsoftonline.com/common/v2.0/oauth2/token",
    "auth_provider_x509_cert_url": "https://login.microsoftonline.com/******/discovery/v2.0/keys",
    "redirect_uri": "https://homer.*****.com/api/v3/oauth2/auth",
    "service_redirect": "/api/v3/oauth2/redirect",
    "profile_url": "https://graph.microsoft.com/oidc/userinfo",
    "provider_name": "microsoft",
    "scope": ["email", "openid", "profile"]
  }

Even though i am able to successfully see the configuration using

/usr/local/bin/homer-app -show-current-config

I am being redirected to google for oauth2 instead of the auth_uri defined.

adubovikov commented 2 years ago

Oops. Let us fix it asap

adubovikov commented 2 years ago

@Moke can you please check homer-app-1.4.24 ? Thank you!

sudomoke commented 2 years ago

Having a problem with the final step in the authentication. It's redirecting to / with the ?token param but failing with a 404 HTTP response

{"data":{},"message":"key not found or has been expired"}

The log file produces only:

{"level":"debug","msg":"Doing URL for providermicrosoft","time":"2021-11-05T03:39:57-05:00"}
{"level":"debug","msg":"Doing AuthSericeRequest for provider: microsoft","time":"2021-11-05T03:39:57-05:00"}
adubovikov commented 2 years ago

did you configure the api to retrieve your profile ?

adubovikov commented 2 years ago

@Moke are you able join us on Matrix ? https://matrix.to/#/#sipcapture_homer:gitter.im

adubovikov commented 2 years ago

so, with 1.4.25 it works as should! Thank you @Moke !

sudomoke commented 2 years ago

Here is my latest and working configuration to use Azure AD with Homer. Sharing for anyone else.

 "oauth2": {
    "enable": true,
    "client_id": "****",
    "client_secret": "*****",
    "project_id": "AzureAD",
    "auth_uri": "https://login.microsoftonline.com/[AD TENANT GUID]/oauth2/v2.0/authorize",
    "token_uri": "https://login.microsoftonline.com/[AD TENANT GUID]/oauth2/v2.0/token",
    "auth_provider_x509_cert_url": "https://login.microsoftonline.com/[AD TENANT GUID]/discovery/keys",
    "redirect_uri": "https://homer.homer.net/api/v3/oauth2/auth",
    "service_redirect": "https://homer.homer.net/api/v3/oauth2/redirect",
    "profile_url": "https://graph.microsoft.com/oidc/userinfo",
    "provider_name": "microsoft",
    "scope": ["email", "openid", "profile"],
    "provider_image": ""
  }

In Azure AD App Registrations, configure the redirect URI to https://homer.homer.net/api/v3/oauth2/auth/microsoft

Check the box for "ID tokens (used for implicit and hybrid flows)"

In the API permissions section, add a "Delegated permission", under "Microsoft Graph" for email, openid, and profile.

adubovikov commented 2 years ago

@Moke thank you so much!

adubovikov commented 2 years ago

@Moke please star us :-) https://github.com/sipcapture/homer/stargazers

adubovikov commented 2 years ago

@Moke https://github.com/sipcapture/homer-app/commit/44839ca084c6aa764183f713dad52a02c838f994

here is gravatar support