Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document OAuth groupClaimName and roleMapping env varaibles #256

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Document OAuth groupClaimName and roleMapping env varaibles #256

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 32 additions & 19 deletions content/configuration/auth-sso.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,28 +34,41 @@ The default Directus email/password authentication flow. No additional configura

## OAuth 2.0

| Variable | Description | Default Value |
| ------------------------------------------- | --------------------------------------------------------------------------------------------------------- | ---------------- |
| `AUTH_<PROVIDER>_CLIENT_ID` | Client identifier for the OAuth provider. | |
| `AUTH_<PROVIDER>_CLIENT_SECRET` | Client secret for the OAuth provider. | |
| `AUTH_<PROVIDER>_SCOPE` | A white-space separated list of permissions to request. | `email` |
| `AUTH_<PROVIDER>_AUTHORIZE_URL` | Authorization page URL of the OAuth provider. | |
| `AUTH_<PROVIDER>_ACCESS_URL` | Access token URL of the OAuth provider. | |
| `AUTH_<PROVIDER>_PROFILE_URL` | User profile URL of the OAuth provider. | |
| `AUTH_<PROVIDER>_IDENTIFIER_KEY` | User profile identifier key <sup>[1]</sup>. Will default to `EMAIL_KEY`. | |
| `AUTH_<PROVIDER>_EMAIL_KEY` | User profile email key. | `email` |
| `AUTH_<PROVIDER>_FIRST_NAME_KEY` | User profile first name key. | |
| `AUTH_<PROVIDER>_LAST_NAME_KEY` | User profile last name key. | |
| `AUTH_<PROVIDER>_ALLOW_PUBLIC_REGISTRATION` | Automatically create accounts for authenticating users. | `false` |
| `AUTH_<PROVIDER>_DEFAULT_ROLE_ID` | A Directus role ID to assign created users. | |
| `AUTH_<PROVIDER>_SYNC_USER_INFO` | Set user's first name, last name and email from provider's user info on each login. | `false` |
| `AUTH_<PROVIDER>_ICON` | SVG icon to display with the login link. Can be a Material Icon or Font Awesome Social Icon. | `account_circle` |
| `AUTH_<PROVIDER>_LABEL` | Text to be presented on SSO button within the Data Studio. | `<PROVIDER>` |
| `AUTH_<PROVIDER>_PARAMS` | Custom query parameters applied to the authorization URL. | |
| `AUTH_<PROVIDER>_REDIRECT_ALLOW_LIST` | A comma-separated list of external URLs (including paths) allowed for redirecting after successful login. | |
| Variable | Description | Default Value |
| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- |
| `AUTH_<PROVIDER>_CLIENT_ID` | Client identifier for the OAuth provider. | |
| `AUTH_<PROVIDER>_CLIENT_SECRET` | Client secret for the OAuth provider. | |
| `AUTH_<PROVIDER>_SCOPE` | A white-space separated list of permissions to request. | `email` |
| `AUTH_<PROVIDER>_AUTHORIZE_URL` | Authorization page URL of the OAuth provider. | |
| `AUTH_<PROVIDER>_ACCESS_URL` | Access token URL of the OAuth provider. | |
| `AUTH_<PROVIDER>_PROFILE_URL` | User profile URL of the OAuth provider. | |
| `AUTH_<PROVIDER>_IDENTIFIER_KEY` | User profile identifier key <sup>[1]</sup>. Will default to `EMAIL_KEY`. | |
| `AUTH_<PROVIDER>_EMAIL_KEY` | User profile email key. | `email` |
| `AUTH_<PROVIDER>_FIRST_NAME_KEY` | User profile first name key. | |
| `AUTH_<PROVIDER>_LAST_NAME_KEY` | User profile last name key. | |
| `AUTH_<PROVIDER>_ALLOW_PUBLIC_REGISTRATION` | Automatically create accounts for authenticating users. | `false` |
| `AUTH_<PROVIDER>_DEFAULT_ROLE_ID` | A Directus role ID to assign created users. | |
| `AUTH_<PROVIDER>_SYNC_USER_INFO` | Set user's first name, last name and email from provider's user info on each login. | `false` |
| `AUTH_<PROVIDER>_ICON` | SVG icon to display with the login link. Can be a Material Icon or Font Awesome Social Icon. | `account_circle` |
| `AUTH_<PROVIDER>_LABEL` | Text to be presented on SSO button within the Data Studio. | `<PROVIDER>` |
| `AUTH_<PROVIDER>_PARAMS` | Custom query parameters applied to the authorization URL. | |
| `AUTH_<PROVIDER>_REDIRECT_ALLOW_LIST` | A comma-separated list of external URLs (including paths) allowed for redirecting after successful login. | |
| `AUTH_<PROVIDER>_ROLE_MAPPING` | A JSON object in the form of `{ "openid_group_name": "directus_role_id" }` that you can use to map OAuth claim groups to Directus roles <sup>[2]</sup>. If not specified, falls back to `AUTH_<PROVIDER>_DEFAULT_ROLE_ID` URL. | |
| `AUTH_<PROVIDER>_GROUP_CLAIM_NAME` | The name of the OAuth claim that contains your user's groups. | `groups` |

<sup>[1]</sup> When authenticating, Directus will match the identifier value from the external user profile to a Directus users "External Identifier".

<sup>[2]</sup> As Directus only allows one role per user, evaluating stops after the first match. An OAuth user that is member of both e.g. developer and admin groups may be assigned different roles depending on the order that you specify your role-mapping in: In the following example said OAuth user will be assigned the role `directus_developer_role_id`

```
AUTH_<PROVIDER>_ROLE_MAPPING: json:{ "developer": "directus_developer_role_id", "admin": "directus_admin_role_id" }"
```

Whereas in the following example the OAuth user will be assigned the role `directus_admin_role_id`:

```
AUTH_<PROVIDER>_ROLE_MAPPING: json:{ "admin": "directus_admin_role_id", "developer": "directus_developer_role_id" }"
```
## OpenID

OpenID is an authentication protocol built on OAuth 2.0, and should be preferred over standard OAuth 2.0 where possible.
Expand Down