diff --git a/server/modules/authentication/azure/authentication.js b/server/modules/authentication/azure/authentication.js index a983d1486e..5bcc645445 100644 --- a/server/modules/authentication/azure/authentication.js +++ b/server/modules/authentication/azure/authentication.js @@ -23,19 +23,35 @@ module.exports = { keyString = keyString.substring(44); } } + + // If a client secret was passed, then we use code flow! + // If not, just use the same value previous version of wiki.js! + // Same for response mode. We want query respondeMode to avoid depending on cookies! + let respType = conf.clientSecret ? 'code' : 'id_token' + let respMode = conf.clientSecret ? 'query' : 'form_post' + let issuerList; + + if(conf.issuerList){ + // List of issuers. + // Expect each line containing the issuer definition! + issuerList = conf.issuerList.split('\n'); + } + passport.use(conf.key, new OIDCStrategy({ identityMetadata: conf.entryPoint, clientID: conf.clientId, redirectUrl: conf.callbackURL, - responseType: 'id_token', - responseMode: 'form_post', + responseType: respType, + responseMode: respMode, scope: ['profile', 'email', 'openid'], - allowHttpForRedirectUrl: WIKI.IS_DEBUG, + allowHttpForRedirectUrl: (WIKI.IS_DEBUG || conf.allowHttp), passReqToCallback: true, cookieSameSite: keyArray.length > 0, useCookieInsteadOfSession: keyArray.length > 0, cookieEncryptionKeys: keyArray + ,clientSecret: conf.clientSecret + ,issuer: issuerList }, async (req, iss, sub, profile, cb) => { const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username') try { diff --git a/server/modules/authentication/azure/definition.yml b/server/modules/authentication/azure/definition.yml index ad7d41ebc5..bf6eded0cf 100644 --- a/server/modules/authentication/azure/definition.yml +++ b/server/modules/authentication/azure/definition.yml @@ -27,3 +27,26 @@ props: title: Cookie Encryption Key String hint: Random string with 44-character length. Setting this enables workaround for Chrome's SameSite cookies. order: 3 + allowHttp: + type: Boolean + title: Allow Http + hint: Enable HTTP for redirect URIs, ideal for localhost use without requiring debug mode in Wiki.js. + default: false + order: 4 + clientSecret: + type: String + title: Client Secret + hint: When configured, this setting mandates the module to exclusively utilize the Authorization Code Flow for authentication. To enable this, you are required to create a secret within the Azure Portal. This is achieved by accessing the "Authentication" section found in the settings of your registered application. + order: 5 + issuerList: + type: String + title: Alternate Issuer List + multiline: true + hint: ' + Alternate issuers to allow. Each line should specify an issuer string. A typical format for the v2 endpoint resembles: https://login.microsoftonline.com/YOUR-TENANT-ID/v2.0. + Pro Tip: To retrieve metadata about your tenant, navigate to https://login.microsoftonline.com/TENANT-NAME/v2.0/.well-known/openid-configuration in your web browser. + For instance, to obtain information for a tenant named example.com, you would visit: https://login.microsoftonline.com/example.com/v2.0/.well-known/openid-configuration. This URL provides detailed metadata concerning the specified tenant. + Locate the "issuer" field, which holds the issuer string. Simply copy its contents and paste them here for use. + Useful when using common or organizations endpoints (for multi-tenant auths). + ' + order: 6 \ No newline at end of file