You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

91 lines
4.0 KiB

4 years ago
4 years ago
4 years ago
4 years ago
  1. # How to use OAuth
  2. This document aims to instruct how to setup OAuth for doccano. doccano now supports social login via GitHub and Active Directory by [#75](https://github.com/doccano/doccano/pull/75). In this document, we show GitHub OAuth as an example.
  3. # GitHub
  4. ## Create OAuth App
  5. 1. In the upper-right corner of GitHub, click your profile photo, then click **Settings**.
  6. 2. In the left sidebar, click **Developer settings**.
  7. 3. In the left sidebar, click **OAuth Apps**.
  8. 4. Click **New OAuth App**.
  9. 5. In "Application name", type the name of your app.
  10. 6. In "Homepage URL", type the full URL to your app's website.
  11. 7. In "Authorization callback URL", type the callback URL(e.g. <https://example.com/social/complete/github/>) of your app.
  12. 8. Click Register application.
  13. ## Set enviromental variables
  14. Once the application is registered, your app's `Client ID` and `Client Secret` will be displayed on the following page:
  15. ![image](../images/oauth/oauth_apps.png)
  16. 1. Copy the `Client ID` and `Client Secret` from the Developer Applications of your app on GitHub.
  17. 2. Set the `Client ID` and `Client Secret` to enviromental variables:
  18. ```bash
  19. export OAUTH_GITHUB_KEY=YOUR_CLIENT_ID
  20. export OAUTH_GITHUB_SECRET=YOUR_CLIENT_SECRET
  21. ```
  22. ## Run server
  23. ```bash
  24. python manage.py runserver
  25. ```
  26. Go to login page:
  27. ![image](../images/oauth/login_page.png)
  28. # Okta
  29. Create an Okta web app in the Okta developer portal and get the key and secret from the app details.
  30. ## OAuth2
  31. If you want to use OAuth2, set these environment variables.
  32. ```bash
  33. export OAUTH_OKTA_OAUTH2_KEY=YOUR_CLIENT_ID
  34. export OAUTH_OKTA_OAUTH2_SECRET=YOUR_CLIENT_SECRET
  35. export OAUTH_OKTA_OAUTH2_API_URL=YOUR_BASE_URL
  36. ```
  37. In the app settings, please set the redirect URI to `{DOCCANO_URL}/social/complete/okta-oauth2/`. For example, if you are serving Doccano at `https://example.com`, the redirect URI should be `https://example.com/social/complete/okta-oauth2/`. If using a local installation being served at port 8000, set the redirect URI to `http://127.0.0.1:8000/social/complete/okta-oauth2/`.
  38. Okta Application setup:
  39. ![image](../images/oauth/okta_oauth_app.png)
  40. Optionally, if you want to assign Doccano super users from Okta users, you can use Okta groups to assign them the policy. This will also assign the users the staff role, allowing them to access the Django admin page and app. Ensure your Okta [authorization server can serve `groups` claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-groups-claim-org-as/) and set the environment variable `OKTA_OAUTH2_ADMIN_GROUP_NAME`.
  41. ```bash
  42. export OKTA_OAUTH2_ADMIN_GROUP_NAME=SUPERUSER_OKTA_GROUP_NAME
  43. ```
  44. ## OpenIDConnect
  45. If you want to use OpenIDConnect, set these environment variables.
  46. ```bash
  47. export OAUTH_OKTA_OPENIDCONNECT_KEY=YOUR_CLIENT_ID
  48. export OAUTH_OKTA_OPENIDCONNECT_SECRET=YOUR_CLIENT_SECRET
  49. export OAUTH_OKTA_OPENIDCONNECT_API_URL=YOUR_BASE_URL
  50. ```
  51. In the app settings, please set the redirect URI to your app domain `/social/complete/okta-openidconnect/`. For example, if you are serving Doccano at `https://example.com`, the redirect URI should be `https://example.com/social/complete/okta-openidconnect/`. If using a local installation being served at port 8000, set the redirect URI to `http://127.0.0.1:8000/social/complete/okta-openidconnect/`.
  52. Optionally, if you want to assign Doccano super users from Okta users, you can use Okta groups to assign them the policy. This will also assign the users the staff role, allowing them to access the Django admin page and app. Ensure your Okta [authorization server can serve `groups` claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-groups-claim-org-as/) and set the environment variable `OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME`.
  53. ```bash
  54. export OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME=SUPERUSER_OKTA_GROUP_NAME
  55. ```
  56. ## Run Server
  57. ```bash
  58. python manage.py runserver
  59. ```
  60. If everything has been setup correctly, you should see a login page like the one below with an option to login using Okta.
  61. ![image](../images/oauth/okta_oauth_login_page.png)