From 48efa35e1d82ac250eed5f6f40514cca3bb7302e Mon Sep 17 00:00:00 2001 From: NHAS Date: Sun, 1 Sep 2024 15:38:58 +1200 Subject: [PATCH] Add documentation for admin oidc --- README.md | 18 ++++++++- example_config.json | 98 --------------------------------------------- 2 files changed, 16 insertions(+), 100 deletions(-) delete mode 100644 example_config.json diff --git a/README.md b/README.md index c299a1dd..02e65929 100644 --- a/README.md +++ b/README.md @@ -279,7 +279,7 @@ The web interface itself cannot add administrative users. `Authenticators.OIDC.IssuerURL`: Identity provider endpoint, e.g `http://localhost:8080/realms/account` `Authenticators.OIDC.ClientID`: OIDC identifier for application `Authenticators.OIDC.ClientSecret`: OIDC secret -`Authenticators.OIDC.GroupsClaimName`: Not yet used. +`Authenticators.OIDC.GroupsClaimName`: Claim that contains user groups to map into wag groups `Authenticators.PAM.ServiceName`: Name of PAM-Auth file in `/etc/pam.d/` will default to `/etc/pam.d/login` if unset or empty @@ -302,6 +302,13 @@ The web interface itself cannot add administrative users. `ManagementUI.ListenAddress`: Listen address to expose the management UI on `ManagementUI.CertPath`: TLS Certificate path for management endpoint `ManagementUI.KeyPath`: TLS key for the management endpoint +`ManagementUI.OIDC`: Object that contains `OIDC` specific configuration options for the admin login. +`ManagementUI.OIDC.Enabled`: Boolean to enable OIDC login on the admin page. +`ManagementUI.OIDC.IssuerURL`: Identity provider endpoint, e.g `http://localhost:8080/realms/account` +`ManagementUI.OIDC.ClientID`: OIDC identifier for application +`ManagementUI.OIDC.ClientSecret`: OIDC secret +`ManagementUI.OIDC.AdminDomainURL`: The administrative page domain + Full config example ```json @@ -334,7 +341,14 @@ Full config example "ListenAddress": "127.0.0.1:4433", "CertPath": "/etc/example/cert/path", "KeyPath": "/etc/ssl/private/somecert.key", - "Enabled": true + "Enabled": true, + "OIDC": { + "Enabled": true, + "IssuerURL": "http://localhost:8080/", + "AdminDomainURL":"http://localhost:4433/", + "ClientSecret": "", + "ClientID": "test" + } }, "Authenticators": { "Issuer": "vpn.test", diff --git a/example_config.json b/example_config.json deleted file mode 100644 index ad41edd5..00000000 --- a/example_config.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "Lockout": 5, - "HelpMail": "help@example.com", - "MaxSessionLifetimeMinutes": 2, - "SessionInactivityTimeoutMinutes": 1, - "ExternalAddress": "192.168.121.61", - "DatabaseLocation": "devices.db", - "Socket": "/tmp/wag.sock", - "Webserver": { - "Public": { - "ListenAddress": ":8081" - }, - "Tunnel": { - "Port": "8080" - } - }, - "ManagementUI": { - "ListenAddress": "127.0.0.1:4433", - "Enabled": true - }, - "Authenticators": { - "Issuer": "vpn.test", - "DomainURL": "https://vpn.test:8080", - "DefaultMethod": "", - "Methods": [ - "totp", - "webauthn", - "oidc" - ], - "OIDC": { - "IssuerURL": "http://localhost:8080/", - "ClientSecret": "AN EXAMPLE KEY", - "ClientID": "account", - "GroupsClaimName": "groups" - }, - "PAM": { - "ServiceName": "vpncheckpass" - } - }, - "Wireguard": { - "DevName": "wg0", - "ListenPort": 53230, - "PrivateKey": "AN EXAMPLE KEY", - "Address": "192.168.1.1/24", - "MTU": 1420, - "DNS": [ - "1.1.1.1/32" - ] - }, - "Acls": { - "Groups": { - "group:nerds": [ - "toaster", - "tester", - "abc" - ], - "group:administrators": [ - "toaster", - "tester" - ] - }, - "Policies": { - "*": { - "Allow": [ - "7.7.7.7", - "google.com" - ] - }, - "group:nerds": { - "Mfa": [ - "192.168.3.4/32" - ], - "Allow": [ - "192.168.3.5/32" - ] - }, - "tester": { - "Mfa": [ - "192.168.3.0/24", - "192.168.5.0/24" - ], - "Allow": [ - "4.3.3.3/32" - ] - }, - "group:administrators": { - "Mfa": [ - "8.8.8.8" - ] - }, - "toaster": { - "Allow": [ - "1.1.1.1/32" - ] - } - } - } -} \ No newline at end of file