Skip to content

Commit 399be27

Browse files
ComfortablyCodingComfortablyCoding
authored
Document OAuth groupClaimName and roleMapping env variables (#256)
document OAuth `groupClaimName` and `roleMapping`
1 parent 9fb245e commit 399be27

File tree

1 file changed

+32
-19
lines changed

1 file changed

+32
-19
lines changed

content/configuration/auth-sso.md

+32-19
Original file line numberDiff line numberDiff line change
@@ -34,28 +34,41 @@ The default Directus email/password authentication flow. No additional configura
3434

3535
## OAuth 2.0
3636

37-
| Variable | Description | Default Value |
38-
| ------------------------------------------- | --------------------------------------------------------------------------------------------------------- | ---------------- |
39-
| `AUTH_<PROVIDER>_CLIENT_ID` | Client identifier for the OAuth provider. | |
40-
| `AUTH_<PROVIDER>_CLIENT_SECRET` | Client secret for the OAuth provider. | |
41-
| `AUTH_<PROVIDER>_SCOPE` | A white-space separated list of permissions to request. | `email` |
42-
| `AUTH_<PROVIDER>_AUTHORIZE_URL` | Authorization page URL of the OAuth provider. | |
43-
| `AUTH_<PROVIDER>_ACCESS_URL` | Access token URL of the OAuth provider. | |
44-
| `AUTH_<PROVIDER>_PROFILE_URL` | User profile URL of the OAuth provider. | |
45-
| `AUTH_<PROVIDER>_IDENTIFIER_KEY` | User profile identifier key <sup>[1]</sup>. Will default to `EMAIL_KEY`. | |
46-
| `AUTH_<PROVIDER>_EMAIL_KEY` | User profile email key. | `email` |
47-
| `AUTH_<PROVIDER>_FIRST_NAME_KEY` | User profile first name key. | |
48-
| `AUTH_<PROVIDER>_LAST_NAME_KEY` | User profile last name key. | |
49-
| `AUTH_<PROVIDER>_ALLOW_PUBLIC_REGISTRATION` | Automatically create accounts for authenticating users. | `false` |
50-
| `AUTH_<PROVIDER>_DEFAULT_ROLE_ID` | A Directus role ID to assign created users. | |
51-
| `AUTH_<PROVIDER>_SYNC_USER_INFO` | Set user's first name, last name and email from provider's user info on each login. | `false` |
52-
| `AUTH_<PROVIDER>_ICON` | SVG icon to display with the login link. Can be a Material Icon or Font Awesome Social Icon. | `account_circle` |
53-
| `AUTH_<PROVIDER>_LABEL` | Text to be presented on SSO button within the Data Studio. | `<PROVIDER>` |
54-
| `AUTH_<PROVIDER>_PARAMS` | Custom query parameters applied to the authorization URL. | |
55-
| `AUTH_<PROVIDER>_REDIRECT_ALLOW_LIST` | A comma-separated list of external URLs (including paths) allowed for redirecting after successful login. | |
37+
| Variable | Description | Default Value |
38+
| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- |
39+
| `AUTH_<PROVIDER>_CLIENT_ID` | Client identifier for the OAuth provider. | |
40+
| `AUTH_<PROVIDER>_CLIENT_SECRET` | Client secret for the OAuth provider. | |
41+
| `AUTH_<PROVIDER>_SCOPE` | A white-space separated list of permissions to request. | `email` |
42+
| `AUTH_<PROVIDER>_AUTHORIZE_URL` | Authorization page URL of the OAuth provider. | |
43+
| `AUTH_<PROVIDER>_ACCESS_URL` | Access token URL of the OAuth provider. | |
44+
| `AUTH_<PROVIDER>_PROFILE_URL` | User profile URL of the OAuth provider. | |
45+
| `AUTH_<PROVIDER>_IDENTIFIER_KEY` | User profile identifier key <sup>[1]</sup>. Will default to `EMAIL_KEY`. | |
46+
| `AUTH_<PROVIDER>_EMAIL_KEY` | User profile email key. | `email` |
47+
| `AUTH_<PROVIDER>_FIRST_NAME_KEY` | User profile first name key. | |
48+
| `AUTH_<PROVIDER>_LAST_NAME_KEY` | User profile last name key. | |
49+
| `AUTH_<PROVIDER>_ALLOW_PUBLIC_REGISTRATION` | Automatically create accounts for authenticating users. | `false` |
50+
| `AUTH_<PROVIDER>_DEFAULT_ROLE_ID` | A Directus role ID to assign created users. | |
51+
| `AUTH_<PROVIDER>_SYNC_USER_INFO` | Set user's first name, last name and email from provider's user info on each login. | `false` |
52+
| `AUTH_<PROVIDER>_ICON` | SVG icon to display with the login link. Can be a Material Icon or Font Awesome Social Icon. | `account_circle` |
53+
| `AUTH_<PROVIDER>_LABEL` | Text to be presented on SSO button within the Data Studio. | `<PROVIDER>` |
54+
| `AUTH_<PROVIDER>_PARAMS` | Custom query parameters applied to the authorization URL. | |
55+
| `AUTH_<PROVIDER>_REDIRECT_ALLOW_LIST` | A comma-separated list of external URLs (including paths) allowed for redirecting after successful login. | |
56+
| `AUTH_<PROVIDER>_ROLE_MAPPING` | A JSON object in the form of `{ "openid_group_name": "directus_role_id" }` that you can use to map OAuth claim groups to Directus roles <sup>[2]</sup>. If not specified, falls back to `AUTH_<PROVIDER>_DEFAULT_ROLE_ID` URL. | |
57+
| `AUTH_<PROVIDER>_GROUP_CLAIM_NAME` | The name of the OAuth claim that contains your user's groups. | `groups` |
5658

5759
<sup>[1]</sup> When authenticating, Directus will match the identifier value from the external user profile to a Directus users "External Identifier".
5860

61+
<sup>[2]</sup> As Directus only allows one role per user, evaluating stops after the first match. An OAuth user that is member of both e.g. developer and admin groups may be assigned different roles depending on the order that you specify your role-mapping in: In the following example said OAuth user will be assigned the role `directus_developer_role_id`
62+
63+
```
64+
AUTH_<PROVIDER>_ROLE_MAPPING: json:{ "developer": "directus_developer_role_id", "admin": "directus_admin_role_id" }"
65+
```
66+
67+
Whereas in the following example the OAuth user will be assigned the role `directus_admin_role_id`:
68+
69+
```
70+
AUTH_<PROVIDER>_ROLE_MAPPING: json:{ "admin": "directus_admin_role_id", "developer": "directus_developer_role_id" }"
71+
```
5972
## OpenID
6073

6174
OpenID is an authentication protocol built on OAuth 2.0, and should be preferred over standard OAuth 2.0 where possible.

0 commit comments

Comments
 (0)