Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Document how to enable OAuth #265

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[WIP] Document how to enable OAuth #265

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 87 additions & 0 deletions docs/learn-more/oauth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
# How to enable OAuth

Following this guide, you will let the users to register and login using Google and Github OAUTH.

- active `docker-compose.yml` (`~/.sourced/compose-files/__active__/docker-compose.yml`) should contain:
```yml
version: '3.4'
services:
sourced-ui:
environment:
OAUTH_ENABLED_PROVIDERS: ${OAUTH_ENABLED_PROVIDERS} # Comma separated list of available OAuth providers (eg: github,google)
OAUTH_REGISTRATION_ROLE: ${OAUTH_REGISTRATION_ROLE} # The role for the newly registered users using OAuth 'Admin'/'Alpha'/'Gamma'
OAUTH_GOOGLE_CONSUMER_KEY: ${OAUTH_GOOGLE_CONSUMER_KEY} # OAuth provider consumer key (aka client_id)
OAUTH_GOOGLE_CONSUMER_SECRET: ${OAUTH_GOOGLE_CONSUMER_SECRET} # OAuth provider consumer secret (aka client_secret)
OAUTH_GITHUB_CONSUMER_KEY: ${OAUTH_GITHUB_CONSUMER_KEY} # OAuth provider consumer key (aka client_id)
OAUTH_GITHUB_CONSUMER_SECRET: ${OAUTH_GITHUB_CONSUMER_SECRET} # OAuth provider consumer secret (aka client_secret)
```

In order to avoid some OAuth issues, make your instance of source{d} CE accessible from the Internet:
- consider this example: `http://live.sourced.ce`
- `PROTOCOL` = `http`
- `HOST` = `live.sourced.ce`
- you can use `ngrok` if running source{d} locally:
```shell
$ ngrok http 8088
```
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you verified this? I did not have any issues running on localhost with Google. Maybe this only happens with Github?


## For Google OAuth

1. Configure your "OAuth consent screen"
- https://console.developers.google.com/apis/credentials/consent
- set up:
- "Application name"
- "Authorized domains": `${HOST}`
1. Create a new "Credential"
- https://console.developers.google.com/apis/credentials
- create a new "Create OAuth client ID" for "Wab application"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/Wab/Web/

- set up:
- "Application name"
- "Restrictions":
- Authorized JavaScript origins: `${PROTOCOL}://${HOST}`
- Authorized redirect URIs: `${PROTOCOL}://${HOST}/oauth-authorized/google`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there was a way to restrict logins to the Google Apps domain (e.g. allow only @sourced.tech to log in). That's an interesting option to point out (not sure if Github has any kind of equivalent).



## For GitHub OAuth

1. Create a new OAuth application
- https://github.com/settings/applications/new
- set up:
- "Application name"
- "Homepage URL": `${PROTOCOL}://${HOST}`
- "Authorization callback URL": `${PROTOCOL}://${HOST}/oauth-authorized/github`



## Run source{d}

```shell
$ export OAUTH_ENABLED_PROVIDERS=github,google
$ export OAUTH_REGISTRATION_ROLE=Gamma
$ OAUTH_GOOGLE_CONSUMER_KEY=<google client_id> \
OAUTH_GOOGLE_CONSUMER_SECRET=<google client_secret> \
OAUTH_GITHUB_CONSUMER_KEY=<github client_id> \
OAUTH_GITHUB_CONSUMER_SECRET=<github client_secret> \
sourced init local .
```

Every new user will be registered under `Gamma` role, so you might want to assign them a new role in order to let them to view `gitbase` database.

You can assign roles, or convert `Gamma` user into a an `Admin` one, following these steps:

---

_**[Disclaimer] [Bug]** Listing users is buggy and it's behavior depends on how you ran `sourced` for the first time:_

---

- If the first time you ran `sourced` was with no `OAUTH_ENABLED_PROVIDERS`, then you can only list users using `admin` user, so do the following:
1. start `sourced` with `OAUTH_ENABLED_PROVIDERS=` (it will stop your current instance of `sourced`),
1. login as `admin` (password: `admin`), and manage the users at you will.
1. start `sourced` again, with the regular `OAUTH_ENABLED_PROVIDERS=github,google`,

- If the first time you ran `sourced` was with already valid `OAUTH_ENABLED_PROVIDERS`, do the following:
1. start `sourced` with `OAUTH_REGISTRATION_ROLE=Admin` (it will stop your current instance of `sourced`),
1. register as a new user, who will be created with `Admin` role, and who will be able to list users `/users/list`,
1. start `sourced` again, with the regular `OAUTH_REGISTRATION_ROLE=Gamma` (it will stop the privileged instance of `sourced` from the previous step),
1. login with the user that you created in the second step, and use it to manage the users at you will.