Getting Group-Office to provide OAuth to Bookstack - got it working, but had to hack it

[awnz]

Hi, is anyone else authenticating external services to Group-Office using its OAuth server feature?

I just had a play with it, and getting Bookstack to work with it required modifying code on both sides - but it's more-or-less working for authentication (account creation not tested yet, I'm not ready for that yet).

But it feels that what I had to do to get it working was a bit hacky. I'm not sure if I found a bug in Group-Office or not, is there anyone who is more familiar with OAuth/OpenID able to check?

In Bookstack, I had to modyfy app/Auth/Access/Oidc/OidcOAuthProvider.php, in order for Group-Office to talk to it as Group-Office doesn't provide the 'Profile' scope:

# /var/www/bookstack/app/Auth/Access/Oidc/OidcOAuthProvider.php
# Required for GroupOffice to accept OAuth scope. Change line 65 from:
return ['openid'], 'profile', 'email'];

# ... to:
return ['openid', 'email'];

And in Group-Office I had to modify how it constructs .well-known/openid-configuration so that issuer matched the iss response it delivered in the authorization tokens (otherwise Bookstack would reject it as not matching):

# /usr/share/groupoffice/api/oauth.php
# Change to Line 290. Change:
'issuer' => $goUrl,

# ... to:
'issuer' => $endpointBase,

• The above is not compliant with the OpenID spec but I don't thin the current behaviour is either, where issuer in openid-configuration and iss in the issued tokens are supposed to match (presently they don't, iss also appears to return the value as $endpointBase, being the full URL to /groupoffice/api/oauth.php - BookStack rejects this).
  It would be better to fix the token's 'iss' value but I haven't found where that's set, can anyone shed some light on that?

With that done, it worked. I set the following in BookStack's .env configuration file:

# This allows Bookstack to be added as a module-style bookmark in Group-Office
ALLOWED_IFRAME_HOSTS="https://groupoffice.my.domain"

#This is the OpenID config
AUTH_METHOD=oidc
AUTH_AUTO_INITIATE=true # makes it seamless

# credetials for connecting to the Group-Office OAuth service
OIDC_ISSUER=https://groupoffice.my.domain/groupoffice/api/oauth.php
OIDC_CLIENT_ID=bookstack
OIDC_CLIENT_SECRET=something_long_and_strong
OIDC_ISSUER_DISCOVER=true

So yeah it works, but it doesn't feel quite right. Interested to hear other people's efforts with having Group-Office provide OAuth to other services!

[mschering]

Hi,

Thanks for sharing this. You were right about the issuer url. Ive changed it to match. It will use https://example.com without any paths and consistent now.
I've also added the 'profile' scope. The profile URL currently just leads to GO though. I haven't tested it with bookstack. I hope it will work out of the box now.

Best regards,
Merijn

[mschering]

PS: Next 6.8.18 will have the fix.

[awnz]

Cheers 🙂

[awnz]

Fixes both work - thanks 🙂

It does now however require the following in /etc/apache2/conf-enabled/groupoffice.conf for OIDC discovery to work:

<VirtualHost *:80>
        RewriteEngine on
        RewriteRule "^/\.well-known/openid-configuration"  "/groupoffice/api/oauth.php/.well-known/openid-configuration" [PT]
</VirtualHost>

This is now with BookStack's .env configuration file having OIDC_ISSUER=https://groupoffice.my.domain/ instead of OIDC_ISSUER=https://groupoffice.my.domain/groupoffice/api/oauth.php as needed to work with the fix.

Cheers,

Andrew

edit: added 2nd half of message

[mschering]

Thanks! I'll add that alias by default for docker and debian. I'll also add it to the docs.

[awnz]

Thanks. I can also report success with authenticating Nextcloud to Group-Office using their Social Login plugin's oauth2 configuration 😃