$Self->{AuthModule} = 'Kernel::System::Auth::OpenIDConnect';
# Define the authentication flow, currently supported are the authorization code flow...
$Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType} = [ 'code' ];
# Define the additional scope (openid is added automatically and does not need to be
# defined here). Make sure to add everything you want to interpret later.
$Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{AdditionalScope} = [
qw/profile email/
];
# Set the ClientID and Redirect URI exactly as defined on the authorization server
# for the latter the Action must be "Login"
$Self->{'AuthModule::OpenIDConnect::Config'}{ClientSettings} = {
ClientID => 'xxxxx-xxxxx-xxxx-xxxx-xxxxxx',
RedirectURI => 'https://support.otobo.de/otobo/index.pl?Action=Login',
};
# For the authorization code flow the client secret has to be provided
$Self->{'AuthModule::OpenIDConnect::Config'}{ClientSettings}{ClientSecret} = 'xxxxxxxxxx';
# Provide the URL of the well-known openid-configuration of the OpenID provider
$Self->{'AuthModule::OpenIDConnect::Config'}{ProviderSettings} = {
OpenIDConfiguration => 'https://login.microsoftonline.com/5dddddf41bd-338c-4311-b1b0-e129ddddd34b/v2.0/.well-known/openid-configuration',
TTL => 60 * 30, # optional: time period the extracted openid-configuration is cached
Name => 'Intern4', # optional: necessary only if one needs to differentiate between User and CustomerUser configuration e.g.
# SSLOptions => { # if special ssl options are needed; SSLVerifyHostname => 0 is also possible but should only be used for testing purposes
# SSLCertificate => 'SSL_cert_file', # client certificate
# SSLKey => 'SSL_key_file', # client cert key
# SSLPassword => 'SSL_passwd_cb', # password for client cert key
# SSLCAFile => 'SSL_ca_file', # CA certificate
# SSLCADir => 'SSL_ca_path', # CA cert directory#
},
};
# Set the token claim to be used as identifier
$Self->{'AuthModule::OpenIDConnect::UID'} = 'preferred_username';
# Some optional additional settings
$Self->{'AuthModule::OpenIDConnect::Config'}{Misc} = {
UseNonce => 1, # add a nonce to request and token (this is primarily important for the implicit flow where it is enabled by default)
RandLength => 22, # length for state and nonce random strings - default: 22
RandTTL => 60 * 5, # valid time period for state and nonce (roughly the time a user can take to authenticate) - default: 300 s
};
Im nachfolgenden Codeblock sind die benötigten Änderungen fett markiert und mittels Kommentar ersichtlich:
# Config for nginx serving as a reverse proxy for the OTOBO web application.
# This config is based on default.conf in the nginx installation
# The master process runs as root.
# When no user is configured then the workers will run as nobody.
#user
proxy_send_timeout 120;
proxy_read_timeout 99999;
proxy_buffering on; # Rother OSS: Geändert für lokales ADFS
tcp_nodelay on;
# Do not serve HTTP, redirect to HTTPS instead.
# See https://linuxize.com/post/redirect-http-to-https-in-nginx/.
server {
listen 8080;
listen [::]:8080;
# catch all domains
server_name _;
# 301 Moved Permanently, (in 'SEO-speak', it is said that the 'link-juice' is sent to the new URL).
return 301 https://$host$request_uri;
}
# serve HTTPS
server {
listen 8443 ssl;
listen [::]:8443 ssl;
# see https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04
include snippets/ssl-params.conf;
ssl_certificate ${OTOBO_NGINX_SSL_CERTIFICATE};
ssl_certificate_key ${OTOBO_NGINX_SSL_CERTIFICATE_KEY};
server_name localhost;
# After migration it's need to rewrite from otrs to otobo, cause old links:
rewrite ^/otrs(.*) https://$host/otobo$1 permanent;
# Redirect to customer.pl
# rewrite ^/$ /otobo/customer.pl;
# allow large uploads of files
client_max_body_size 1G;
large_client_header_buffers 4 64k; # Rother OSS: Eingetragen für lokales ADFS
#access_log /var/log/nginx/host.access.log main;
# proxy to the otobo webapp accessible from the host
# pass on information about the client
location ~ /customer\.pl {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://${OTOBO_NGINX_WEB_HOST}:${OTOBO_NGINX_WEB_PORT};
proxy_set_header REMOTE_USER $remote_user;
# auth_gss on;
# auth_gss_keytab /etc/krb5.keytab;
# auth_gss_service_name HTTP/fqdn;
# auth_gss_realm FQDN;
# auth_gss_allow_basic_fallback on;
}
# proxy to the otobo webapp accessible from the host
# pass on information about the client
location ~ /index\.pl$|/otobo-web|/nph-genericinterface\.pl {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Rother OSS - Benötigte Umstellungen auf lokales ADFS:
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
# EO Rother OSS
proxy_pass http://${OTOBO_NGINX_WEB_HOST}:${OTOBO_NGINX_WEB_PORT};
proxy_set_header REMOTE_USER $remote_user;
# auth_gss on;
# auth_gss_keytab /etc/krb5.keytab;
# auth_gss_service_name HTTP/fqdn;
# auth_gss_realm FQDN;
# auth_gss_allow_basic_fallback on;
}
}