Wekan

image0

Presentation

Wekan is an open-source Kanban, similar to trello.

See the official Wekan website for a complete presentation.

It feature an oauth2 login feature that work with LemonLDAP::NG

Configuring Wekan

Wekan is mostly configured with environement variables, you need to set theses :

  • OAUTH2_ENABLED: TRUE
  • OAUTH2_CLIENT_ID: ClientID
  • OAUTH2_SECRET: Secret
  • OAUTH2_SERVER_URL: https://auth.example.com/
  • OAUTH2_AUTH_ENDPOINT: oauth2/authorize
  • OAUTH2_USERINFO_ENDPOINT: oauth2/userinfo
  • OAUTH2_TOKEN_ENDPOINT: oauth2/token
  • OAUTH2_ID_MAP: sub
  • OAUTH2_USERNAME_MAP: sub
  • OAUTH2_FULLNAME_MAP: name
  • OAUTH2_EMAIL_MAP: email
  • OAUTH2_REQUEST_PERMISSIONS: openid profile email

Danger

Be careful to the / in server_url and endpoints, the complete URL need to be valid, ie auth.example.com/ for url & oauth2/xxx for endpoints, OR, auth.example.com & /oauth2/xxx for endpoints.

Configuring LemonLDAP

We now have to configure LemonLDAP::NG to recognize Wekan as a valid OAuth2 relaying party and send it the information it needs to recognize a user.

Add a new OpenID Connect relaying party with the following parameters:

  • Client ID: the same you set in Wekan configuration (same as OAUTH2_CLIENT_ID)
  • Client Secret: the same you set in Wekan configuration (same as OAUTH2_SECRET)
  • Add the following exported attributes
    • name: session attribute containing the user’s full name
    • email: session attribute containing the user’s email or _singleMail

_singleMail Macro

Danger

OIDC login fails when an user as a multi-valued email attribute, this need to be fixed on wekan’s side, we can bypass that by telling lemonldap to only send one email

Create a new macro, name it (_singleMail is an example), the macro should contain (split(/; /,$mail))[1]