From ccf00b7d0652e5d6ea53dc785f2f32e6679a8729 Mon Sep 17 00:00:00 2001 From: Daniel-Hillenbrand <158460857+Daniel-Hillenbrand@users.noreply.github.com> Date: Tue, 15 Oct 2024 10:45:24 +0200 Subject: [PATCH] add annotation about using own IDP, CA and Docker (#6454) --- .../docs/meshcentral/openidConnectStrategy.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/docs/meshcentral/openidConnectStrategy.md b/docs/docs/meshcentral/openidConnectStrategy.md index df79bd84..4b6e4911 100644 --- a/docs/docs/meshcentral/openidConnectStrategy.md +++ b/docs/docs/meshcentral/openidConnectStrategy.md @@ -32,6 +32,23 @@ OpenID Connect allows clients of all types, including Web-based, mobile, and Jav That description was straight from [OpenID Connect Documentation](https://openid.net/connect/), but basically, OAuth2 is the foundation upon which OpenID Connect was built, allowing for wide ranging compatability and interconnection. OpenID Connect appends the secure user *authentication* OAuth2 is known for, with user *authorization* by allowing the request of additional *scopes* that provide additional *claims* or access to API's in an easily expandable way. +### Annotations + +#### Own IDP, CA and Docker + +If you operate your own identity provider, your own certification authority and MeshCentral via Docker, it is necessary to provide the complete certificate chain, otherwise NodeJS (in particular the openid-client module) will refuse the connection to the IDP server. + +The following errors can be found in the log file: +> OIDC: Discovery failed. + +> UNABLE_TO_GET_ISSUER_CERT_LOCALLY + +To solve this problem, the certificate chain in PEM format must be placed in the data directory and the following entry must be added to the docker-compose.yml file in the “environment” section: +``` + environment: + - NODE_EXTRA_CA_CERTS=/opt/meshcentral/meshcentral-data/chain.pem +``` + ## Basic Config ### *Introduction* @@ -651,4 +668,4 @@ https://github.com/panva/node-openid-client https://openid.net/connect/ -> You just read `openidConnectStrategy.ms v1.0.1` by [@mstrhakr](https://github.com/mstrhakr) \ No newline at end of file +> You just read `openidConnectStrategy.ms v1.0.1` by [@mstrhakr](https://github.com/mstrhakr)