Related pages: 🇫🇷 Authentification fédérée

1. Federated authentication (FA)

The help page gives you some resources online to setup the federated authentication that will help you to not maintain the user accounts in Pwic.wiki on purpose. You need to have a valid HTTP(S) configuration and a connection to the Internet before you can continue to read. Refer to the setup and HTTPS if needed.

With FA, the users are authenticated through their own email address that is assumed to be unique in a professional context. Please note the email address (used as a login) is a public data in Pwic.wiki that you can't hide. Using the short name is not designed. During the authentication, the users will be prompted to allow the disclosure of their email address (they can refuse and leave).

1.1. Common configuration

Whatever is the selected OAuth2 provider, you must define the following parameters with the command python3 pwic_admin.py set-env:

• base_env is the root path of your website without the trailing /,
• oauth_domains is the list of the restricted domains so that you can allow the corporate email addresses only,
• strict_cookies must be removed.

1.2. Github

Github is a platform for social coding. It is used by millions of developers and software companies.

First, register the application that will be linked to your domain name:

• Application name: pwic_wiki
• Homepage URL: https://your.tld or http://localhost:8080 (you cannot use 127.0.0.1)
• Application description: Pwic.wiki supports your documentation
• Authorization callback URL: https://your.tld/api/oauth

You obtain a client ID that identifies the application. You must then generate a secret identifier that Pwic.wiki will use to verify if the user connected correctly. Click on Generate a new client secret.

Now, you need to save the parameters into Pwic.wiki:

Overview of what you should see:

1.3. Google

Google is handled through its Cloud Platform. You need an account registered as gmail.com or as your company if it uses Google Workspace.

Connect to GCP and add a new OAuth 2.0 client ID from the top bar:

• Application type: Web application
• Name: pwic_wiki
• Redirection: https://your.tld/api/oauth

A popup screen appears with the client identifier and the secret key.

Now, you need to save the parameters into Pwic.wiki:

Overview of what you should see:

1.4. Microsoft

Microsoft is handled through the Azure platform. If you own a professional subscription to Office 365 or have an email attached to your Windows account, you can log in.

The procedure is probably the most complex because the websites are totally cumbersome, and you will be required to grant the authorizations that Pwic.wiki will need.

Connect to Azure. Then manage your Azure Active Directory. In the menu on the left, you have an item «Registered applications».

You can add a new subscription from the top item:

• Name: pwic_wiki
• Supported account type: the first item is the one attached to your current professional or personal organization
• Redirection: Web + https://your.tld/api/oauth

Click on your added service:

• The item «Authentication» specifies the redirections:

• The item «Certificates and secrets» helps to create the secret key:

• The item «Authorized API» exposes the needed resources, in this case https://graph.microsoft.com/User.ReadBasic.All must be added:

Now, you need to save the parameters into Pwic.wiki:

1.5. Other providers

For the US and EU users, Google and Microsoft are leading the professional authentications because of their email solutions. Therefore, no additional provider than the above ones is willingly supported.

For the other regions of the world, the topic is still open to extend the support to other providers.

Attached documents

Revision #1 was last modified by gitbra
on 2023-12-11 at 00:00:00 — 10023392fade089e