OAuth

Since CE version 6.2.3, Seafile supports user login via OAuth.

Before using OAuth, Seafile administrator should first register an OAuth2 client application on your authorization server, then add some configurations to seahub_settings.py.

And don’t forget install thirdparty requirement.

  1. sudo pip install requests_oauthlib

Register an OAuth2 client application

Here we use Github as an example. First you should register an OAuth2 client application on Github, official document from Github is very detailed.

Configuration

Add the folllowing configurations to seahub_settings.py:

  1. ENABLE_OAUTH = True
  3. # Usually OAuth works through SSL layer. If your server is not parametrized to allow HTTPS, some method will raise an "oauthlib.oauth2.rfc6749.errors.InsecureTransportError". Set this to `True` to avoid this error.
  4. OAUTH_ENABLE_INSECURE_TRANSPORT = True
  6. # Client id/secret generated by authorization server when you register your client application.
  7. OAUTH_CLIENT_ID = "your-client-id"
  8. OAUTH_CLIENT_SECRET = "your-client-secret"
  10. # Callback url when user authentication succeeded. Note, the redirect url you input when you register your client application MUST be exactly the same as this value.
  11. OAUTH_REDIRECT_URL = 'http{s}://your-domain.com/oauth/callback/'
  13. # The following should NOT be changed if you are using Github as OAuth provider.
  14. OAUTH_PROVIDER_DOMAIN = 'github.com'
  15. OAUTH_AUTHORIZATION_URL = 'https://github.com/login/oauth/authorize'
  16. OAUTH_TOKEN_URL = 'https://github.com/login/oauth/access_token'
  17. OAUTH_USER_INFO_URL = 'https://api.github.com/user'
  18. OAUTH_SCOPE = ["user",]
  19. OAUTH_ATTRIBUTE_MAP = {
  20.     "id": (True, "email"),
  21.     "name": (False, "name"),
  22.     "email": (False, "contact_email"),
  23. }
Sample settings for Google:
  1. ENABLE_OAUTH = True
  2. OAUTH_ENABLE_INSECURE_TRANSPORT = True
  4. OAUTH_CLIENT_ID = "your-client-id"
  5. OAUTH_CLIENT_SECRET = "your-client-secret"
  6. OAUTH_REDIRECT_URL = 'http{s}://your-domain.com/oauth/callback/'
  8. # The following shoud NOT be changed if you are using Google as OAuth provider.
  9. OAUTH_PROVIDER_DOMAIN = 'google.com'
  10. OAUTH_AUTHORIZATION_URL = 'https://accounts.google.com/o/oauth2/v2/auth'
  11. OAUTH_TOKEN_URL = 'https://www.googleapis.com/oauth2/v4/token'
  12. OAUTH_USER_INFO_URL = 'https://www.googleapis.com/oauth2/v1/userinfo'
  13. OAUTH_SCOPE = [
  14.     "https://www.googleapis.com/auth/userinfo.email",
  15. ]
  16. OAUTH_ATTRIBUTE_MAP = {
  17.     "id": (True, "email"),
  18.     "name": (False, "name"),
  19.     "email": (False, "contact_email"),
  20. }

For some system, like Github, email is not the unique identifier for an user, but id is in most cases, so we use id as settings example in our manual. As Seafile uses email to identify an unique user account for now, so we combine id and OAUTH_PROVIDER_DOMAIN, which is google.com in your case, to an email format string and then create this account if not exist. If you want to use email info from Google, just change the setting as followings:

  1. ENABLE_OAUTH = True
  2. OAUTH_ENABLE_INSECURE_TRANSPORT = True
  4. OAUTH_CLIENT_ID = "your-client-id"
  5. OAUTH_CLIENT_SECRET = "your-client-secret"
  6. OAUTH_REDIRECT_URL = 'http{s}://your-domain.com/oauth/callback/'
  8. # The following shoud NOT be changed if you are using Google as OAuth provider.
  9. OAUTH_PROVIDER_DOMAIN = 'google.com'
  10. OAUTH_AUTHORIZATION_URL = 'https://accounts.google.com/o/oauth2/v2/auth'
  11. OAUTH_TOKEN_URL = 'https://www.googleapis.com/oauth2/v4/token'
  12. OAUTH_USER_INFO_URL = 'https://www.googleapis.com/oauth2/v1/userinfo'
  13. OAUTH_SCOPE = [
  14.     "https://www.googleapis.com/auth/userinfo.email",
  15. ]
  16. OAUTH_ATTRIBUTE_MAP = {
  17.     "email": (True, "email"),
  18.     "name": (False, "name"),
  19. }

To enable OAuth via GitLab. Create an application in GitLab (under Admin area->Applications).

Fill in required fields:

  • Name: a name you specify
  • Redirect URI: The callback url see below OAUTH_REDIRECT_URL
  • Trusted: Skip confirmation dialog page. Select this to not ask the user if he wants to authorize seafile to receive access to his/her account data.
  • Scopes: Select openid and read_user in the scopes list.

Press submit and copy the client id and secret you receive on the confirmation page and use them in this template for your seahub_settings.py:

  1. ENABLE_OAUTH = True
  2. OAUTH_CLIENT_ID = "your-client-id"
  3. OAUTH_CLIENT_SECRET = "your-client-secret"
  4. OAUTH_REDIRECT_URL = "https://your-seafile/oauth/callback/"
  6. OAUTH_PROVIDER_DOMAIN = 'your-domain'
  7. OAUTH_AUTHORIZATION_URL = 'https://gitlab.your-domain/oauth/authorize'
  8. OAUTH_TOKEN_URL = 'https://gitlab.your-domain/oauth/token'
  9. OAUTH_USER_INFO_URL = 'https://gitlab.your-domain/api/v4/user'
  10. OAUTH_SCOPE = ["openid", "read_user"]
  11. OAUTH_ATTRIBUTE_MAP = {
  12.     "email": (True, "email"),
  13.     "name": (False, "name")
  14. }