WebHare can be setup as an OpenID relying party (RP) where it connects to (relies on) an OpenID Provider to do the actual login. This is sometimes referred to as a 'service provider' where the OpenID server would be the 'identity provider'.

When setting up an OpenID connection the identity provider will generally ask for your callback url. You can get a WebHare's default callback URL using wh auth get-callback-url. It will generally be of the form https://my.webhare.dev/.wh/common/oauth2/ where the hostname will be your primary backend URL. You can set up other callback URLs if needed (but you shouldn't change or disable a callback URL without coordinating with your identity provider).

Your identity provider should then provide you with the clientid and clientsecret and may tell you exactly which fields ('claims') to use to match against the login name - it's usually sub or email. The identity provider should also provide you with a metadata URL which should end in .well-known/openid-configuration.

You can bootstrap the configuration using wh auth on the commandline: wh auth [-s <schema>] add-idp [options] <tag> <clientid> <clientsecret>

WebHare

WebHare can act as both a service and identity provider. Once you have the clientid and clientsecret:

wh auth add-idp --additionalscopes email,profile --metadataurl https://WEBHARE-IDP/.well-known/openid-configuration --title "Login using WebHare" --loginfield email TAG CLIENTID CLIENTSECRET

Google

To configure logging in with Google on your WebHare interface:

On the command line you can use:

wh auth add-idp --additionalscopes email,profile --metadataurl https://accounts.google.com/.well-known/openid-configuration --title "Login with Google" --loginfield email GOOGLE xxxxxx.apps.googleusercontent.com GOCSPX-xxxxxx
PreviousNext