From ac0e5936b6141b6ca42cb7b85fb6b5309b32df45 Mon Sep 17 00:00:00 2001
From: Viyurz <viyurz@viyurz.fr>
Date: Sat, 11 May 2024 10:53:19 +0200
Subject: [PATCH] Add Authelia OAuth2 login to HedgeDoc.

---
 roles/authelia/templates/configuration.yml | 10 ++++++++++
 roles/hedgedoc/templates/.env              | 11 +++++++++++
 secrets.yml.example                        | 12 ++++++++++--
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/roles/authelia/templates/configuration.yml b/roles/authelia/templates/configuration.yml
index fd5991c..fe2550f 100644
--- a/roles/authelia/templates/configuration.yml
+++ b/roles/authelia/templates/configuration.yml
@@ -76,6 +76,16 @@ identity_providers:
       - key: |
           {{ authelia_secrets["jwks_key"] | indent(width=10) }}
     clients:
+      - client_id: '{{ authelia_secrets["hedgedoc_client_id"] }}'
+        client_name: HedgeDoc
+        client_secret: '{{ authelia_secrets["hedgedoc_client_secret_hash"] }}'
+        redirect_uris: 'https://hedgedoc.{{ domain }}/auth/oauth2/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        token_endpoint_auth_method: client_secret_post
+
       - client_id: '{{ synapse_secrets["oidc_client_id"] }}'
         client_name: Synapse
         client_secret: '{{ synapse_secrets["oidc_client_secret_hash"] }}'
diff --git a/roles/hedgedoc/templates/.env b/roles/hedgedoc/templates/.env
index ad9bb2d..d97bfef 100644
--- a/roles/hedgedoc/templates/.env
+++ b/roles/hedgedoc/templates/.env
@@ -6,3 +6,14 @@ CMD_DB_PASSWORD='{{ hedgedoc_secrets["postgres_password"] }}'
 CMD_DOMAIN='hedgedoc.{{ domain }}'
 CMD_PROTOCOL_USESSL=true
 CMD_SESSION_SECRET='{{ hedgedoc_secrets["session_secret"] }}'
+
+CMD_OAUTH2_PROVIDERNAME=Authelia
+CMD_OAUTH2_CLIENT_ID='{{ authelia_secrets["hedgedoc_client_id"] }}'
+CMD_OAUTH2_CLIENT_SECRET='{{ authelia_secrets["hedgedoc_client_secret"] }}'
+CMD_OAUTH2_AUTHORIZATION_URL=https://auth.{{ domain }}/api/oidc/authorization
+CMD_OAUTH2_TOKEN_URL=https://auth.{{ domain }}/api/oidc/token
+CMD_OAUTH2_USER_PROFILE_URL=https://auth.{{ domain }}/api/oidc/userinfo
+CMD_OAUTH2_SCOPE=openid email profile
+CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
+CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
+CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
diff --git a/secrets.yml.example b/secrets.yml.example
index 8ecb483..1a55e43 100644
--- a/secrets.yml.example
+++ b/secrets.yml.example
@@ -12,14 +12,24 @@ cifs_credentials:
 authelia_secrets:
   # Encryption key for the database, must be saved
   encryption_key:
+
+  # Generate random client id : docker run --rm authelia/authelia:4 authelia crypto rand --length 72 --charset rfc3986
+  # Generate random secret + hash : docker run --rm authelia/authelia:4 authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+  hedgedoc_client_id:
+  hedgedoc_client_secret:
+  hedgedoc_client_secret_hash:
+
   hmac_secret:
   jwks_key: | # openssl genrsa 4096
   jwt_secret:
+
   # LDAP bind dn
   ldap_user:
   ldap_password:
+
   postgres_user:
   postgres_password:
+
   smtp_user:
   smtp_password:
 
@@ -51,9 +61,7 @@ searxng_secrets:
   searxng_secret:
 
 synapse_secrets:
-  # docker run --rm authelia/authelia:4 authelia crypto rand --length 72 --charset rfc3986
   oidc_client_id:
-  # Generate random secret + hash : docker run --rm authelia/authelia:4 authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
   oidc_client_secret:
   oidc_client_secret_hash:
   smtp_user: