Natureshadow/ejabberd-extauth-oidc-password
2
1
Fork 0
Code Issues Pull requests Activity
ejabberd extauth script to use OpenID Connect with the Resource Owner Password Grant Flow
4 commits 1 branch 2 tags 47 KiB
Python 100%
Find a file
Dominik George 42e17e247a
Reformat
2024-07-22 23:06:50 +02:00
ejabberd_extauth_oidc_password.py Reformat 2024-07-22 23:06:50 +02:00
poetry.lock Initial implementation 2024-07-22 22:26:59 +02:00
pyproject.toml Fix documentation 2024-07-22 22:52:55 +02:00
README.md Fix documentation 2024-07-22 22:52:55 +02:00

README.md

ejabberd extauth script for OIDC Password Grant Flow

This script enables the use of OIDC providers for password login in ejabberd. It uses the Password Grant, which is considered legacy. However, with ejabberd lacking proper OIDC support, it is a viable work-around.

Installation

It is best to install the script using pip until it gets available in distributions:

sudo pip install --break-system-packages ejhabberd-extauth-oidc-password

This makes the script available at /usr/local/bin/ejabberd_extauth_oidc_password.

Configuration

Configuring the script

The script needs the following information about the OIDC provider:

  • Issuer URL
  • Token URL
  • Client ID
  • Client secret

Then, the script can be configured in /etc/ejabberd/extauth/oidc_password.yml:

handler:
  test.example.com:  # one block per XMPP server domain
    issuer: https://idp.example.com
    token_url: https://idp.example.com/oauth/token/
    client_id: myclient_abcd
    client_secret: top_secret

Configuring ejabberd

For ejabberd, follow the instructions for configuring external authentication. Set extauth_program to /usr/local/bin/ejabberd_extauth_oidc_password.