From 0851a1c94dd093e2a94e12ff97b675a0872800a6 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Wed, 8 Sep 2021 01:04:06 +0200 Subject: [PATCH 01/11] layout --- docs/start/config.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/start/config.md b/docs/start/config.md index 65d669d..db66ce2 100644 --- a/docs/start/config.md +++ b/docs/start/config.md @@ -122,12 +122,20 @@ By default, uploaded media files are stored in the local directory `/home/invent Alternatively this location can be specified with the `INVENTREE_MEDIA_ROOT` environment variable. -## Other Options +## Authentication + +### Single Sign on + + +### Login Options + ### Authentication Backends Custom authentication backends can be used by specifying them here +## Other Options + ### Middleware Custom middleware layers can specified here. \ No newline at end of file From 0b8211714f454f27a420ec275921d8c2cd81d66b Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Wed, 8 Sep 2021 08:01:37 +0200 Subject: [PATCH 02/11] login options --- docs/start/config.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/start/config.md b/docs/start/config.md index db66ce2..4d38888 100644 --- a/docs/start/config.md +++ b/docs/start/config.md @@ -129,6 +129,11 @@ Alternatively this location can be specified with the `INVENTREE_MEDIA_ROOT` env ### Login Options +The login-experience can be altered with the following settings: +| Environment Variable | Settings File | Description | Default | +| --- | --- | --- | --- | +| INVENTREE_LOGIN_CONFIRM_DAYS | login_confirm_days | Duration for which confirmation links are valid | 3 | +| INVENTREE_LOGIN_ATTEMPTS | login_attempts | Count of allowed login attempts before blocking user | 5 | ### Authentication Backends From fbf4a50b6f5d48b605a79a44b5adc1eebcc1e763 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Wed, 8 Sep 2021 08:03:42 +0200 Subject: [PATCH 03/11] why auth backends? --- docs/start/config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/start/config.md b/docs/start/config.md index 4d38888..a09d978 100644 --- a/docs/start/config.md +++ b/docs/start/config.md @@ -137,7 +137,7 @@ The login-experience can be altered with the following settings: ### Authentication Backends -Custom authentication backends can be used by specifying them here +Custom authentication backends can be used by specifying them here. These can for exampe be used to ad LDAP / AD login to InvenTree ## Other Options From e1ecc5983e22dffdc3cd305013c7d64c6dc4c867 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Wed, 8 Sep 2021 08:04:02 +0200 Subject: [PATCH 04/11] link to auth-ldap --- docs/start/config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/start/config.md b/docs/start/config.md index a09d978..c819c44 100644 --- a/docs/start/config.md +++ b/docs/start/config.md @@ -137,7 +137,7 @@ The login-experience can be altered with the following settings: ### Authentication Backends -Custom authentication backends can be used by specifying them here. These can for exampe be used to ad LDAP / AD login to InvenTree +Custom authentication backends can be used by specifying them here. These can for exampel be used to add [LDAP / AD login](https://django-auth-ldap.readthedocs.io/en/latest/) to InvenTree ## Other Options From 11f2bde3b7cfb53ab3bf866bc9e98abf612f7478 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Wed, 8 Sep 2021 08:04:35 +0200 Subject: [PATCH 05/11] SSO confg values --- docs/start/config.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/start/config.md b/docs/start/config.md index c819c44..abab321 100644 --- a/docs/start/config.md +++ b/docs/start/config.md @@ -126,6 +126,10 @@ Alternatively this location can be specified with the `INVENTREE_MEDIA_ROOT` env ### Single Sign on +SSO backends for all wanted providers need to be added to the config file as a list under the key `social_backends`. The correct backend-name can be found in django-allauths [configuration documentation](https://django-allauth.readthedocs.io/en/latest/installation.html#django). + +If the selected providers need additional settings they must be added as dicts under the key `social_providers`. The correct settings can be found in the django-allauths [provider documentation](https://django-allauth.readthedocs.io/en/latest/providers.html). + ### Login Options From 738add06bdab01da7c0d7cb941a53e0984b3152c Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Wed, 8 Sep 2021 09:43:54 +0200 Subject: [PATCH 06/11] adding in settings page --- docs/admin/settings.md | 13 +++++++++++++ mkdocs.yml | 1 + 2 files changed, 14 insertions(+) create mode 100644 docs/admin/settings.md diff --git a/docs/admin/settings.md b/docs/admin/settings.md new file mode 100644 index 0000000..9e78648 --- /dev/null +++ b/docs/admin/settings.md @@ -0,0 +1,13 @@ +--- +title: InvenTree Admin Settings +--- + +## Admin Settings + +InvenTree ships with a lot of dynmaic settings. While [config file settings](../start/config.md) require access to the webserver on which InvenTree is hosted these can be changed by all admins of the server. + +### User Settings + +Change how InvenTree apears to the individual user and configure login and user data. + +### Global Settings diff --git a/mkdocs.yml b/mkdocs.yml index 7f64268..8a87798 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -95,6 +95,7 @@ nav: - Context Variables: report/context_variables.md - Admin: - Admin Interface: admin/admin.md + - Settings: admin/settings.md - User Permissions: admin/permissions.md - Export Data: admin/export.md - Import Data: admin/import.md From 088074507886275920924821070f1094bc477608 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Wed, 8 Sep 2021 09:44:26 +0200 Subject: [PATCH 07/11] sso dynmaic settings --- docs/admin/settings.md | 18 ++++++++++++++++++ docs/start/config.md | 3 +++ 2 files changed, 21 insertions(+) diff --git a/docs/admin/settings.md b/docs/admin/settings.md index 9e78648..217146b 100644 --- a/docs/admin/settings.md +++ b/docs/admin/settings.md @@ -11,3 +11,21 @@ InvenTree ships with a lot of dynmaic settings. While [config file settings](../ Change how InvenTree apears to the individual user and configure login and user data. ### Global Settings + +#### Login Settings + +Change how logins, password-forgt, signups are handled. + +| Settings Name | Type | Description | Default | +| --- | --- | --- | --- | +| Enable registration | True/False | Enable self-registration for users on the login-pages | False | +| Enable SSO | True/False | Enable SSO on the login-pages | False | +| Enable password forgot | True/False | Enable password forgot function on the login-pages[^3] | True | +| E-Mail required | True/False | Require user to supply e-mail on signup[^1] | False | +| Mail twice | True/False | On signup ask users twice for their mail | False | +| Password twice | True/False | On signup ask users twice for their password | True | +| Auto-fill SSO users | True/False | Automatically fill out user-details from SSO account-data[^2] | True | + +[^1]: Without a way (e-mail) to contact the user notifications and security features might not work! +[^2]: If this feature is enabled the user is only asked for their username, first- and surname if those values can not be gathered from their SSO profile. This might lead to unwanted usernames bleading over. +[^3]: This will let users reset their passwords on their own. For this feature to work you need to configure E-mail diff --git a/docs/start/config.md b/docs/start/config.md index abab321..21e99b6 100644 --- a/docs/start/config.md +++ b/docs/start/config.md @@ -130,6 +130,9 @@ SSO backends for all wanted providers need to be added to the config file as a l If the selected providers need additional settings they must be added as dicts under the key `social_providers`. The correct settings can be found in the django-allauths [provider documentation](https://django-allauth.readthedocs.io/en/latest/providers.html). +!!! note "You are not done" + SSO still needs credentials for all providers and has to be enabled in the [settings](../admin/settings.md)! + ### Login Options From ea2fa644f23e8781bec66d681e2a99fb4bcd7be7 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Wed, 8 Sep 2021 21:02:25 +0200 Subject: [PATCH 08/11] Inline comments --- docs/admin/settings.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/docs/admin/settings.md b/docs/admin/settings.md index 217146b..a3579f2 100644 --- a/docs/admin/settings.md +++ b/docs/admin/settings.md @@ -20,12 +20,8 @@ Change how logins, password-forgt, signups are handled. | --- | --- | --- | --- | | Enable registration | True/False | Enable self-registration for users on the login-pages | False | | Enable SSO | True/False | Enable SSO on the login-pages | False | -| Enable password forgot | True/False | Enable password forgot function on the login-pages[^3] | True | -| E-Mail required | True/False | Require user to supply e-mail on signup[^1] | False | +| Enable password forgot | True/False | Enable password forgot function on the login-pages.

This will let users reset their passwords on their own. For this feature to work you need to configure E-mail | True | +| E-Mail required | True/False | Require user to supply e-mail on signup.

Without a way (e-mail) to contact the user notifications and security features might not work! | False | | Mail twice | True/False | On signup ask users twice for their mail | False | | Password twice | True/False | On signup ask users twice for their password | True | -| Auto-fill SSO users | True/False | Automatically fill out user-details from SSO account-data[^2] | True | - -[^1]: Without a way (e-mail) to contact the user notifications and security features might not work! -[^2]: If this feature is enabled the user is only asked for their username, first- and surname if those values can not be gathered from their SSO profile. This might lead to unwanted usernames bleading over. -[^3]: This will let users reset their passwords on their own. For this feature to work you need to configure E-mail +| Auto-fill SSO users | True/False | Automatically fill out user-details from SSO account-data.

If this feature is enabled the user is only asked for their username, first- and surname if those values can not be gathered from their SSO profile. This might lead to unwanted usernames bleading over. | True | From 3ee9915dfee3102407255a63b9c9b02a2c2b171c Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Thu, 9 Sep 2021 07:42:36 +0200 Subject: [PATCH 09/11] overview document for sso --- docs/admin/SSO.md | 25 +++++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 26 insertions(+) create mode 100644 docs/admin/SSO.md diff --git a/docs/admin/SSO.md b/docs/admin/SSO.md new file mode 100644 index 0000000..e1353ed --- /dev/null +++ b/docs/admin/SSO.md @@ -0,0 +1,25 @@ +--- +title: InvenTree Single Sign On +--- + +## Single Sign On + +InvenTree provides the possibility to use 3rd party services to authenticate users. This functionality makes use of [django-allauth](https://django-allauth.readthedocs.io/en/latest/) and supports a wide array of OpenID and OAuth [provider](https://django-allauth.readthedocs.io/en/latest/providers.html). + +### Configuration + +To use SSO you have to: +1. Enable the needed providers in the [config file](../start/config.md#Single-Sign-on). +1. Add the required client configurations in the `SocialApp` app in the [admin interface](../admin/admin.md). +1. Enable SSO for the users in the [dynamic settings](../admin/settings.md). + +### Security Consideration + +You should use SSL for your website if you want to use this feature. Also set your callback-endpoints to `https://` addresses to reduce the risk of leaking user's tokens. + +Tokens for authenticating the users to the providers they registered with are saved in the database. +So ensure your database is protected and not open to the internet. +Make sure all users with admin privileges have sufficient passwords - they can read out your client configurations with providers and all auth-tokens from users. + +Never share your installs secret key! + diff --git a/mkdocs.yml b/mkdocs.yml index 8a87798..3498fb1 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -97,6 +97,7 @@ nav: - Admin Interface: admin/admin.md - Settings: admin/settings.md - User Permissions: admin/permissions.md + - Single Sign on: admin/SSO.md - Export Data: admin/export.md - Import Data: admin/import.md - Python Shell: admin/shell.md From e0bfccf6c3fe78a2a17ff05885b50155da552ab4 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Thu, 7 Oct 2021 09:49:06 +0200 Subject: [PATCH 10/11] fixing typos --- docs/admin/settings.md | 6 +++--- docs/start/config.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/admin/settings.md b/docs/admin/settings.md index a3579f2..ca845f8 100644 --- a/docs/admin/settings.md +++ b/docs/admin/settings.md @@ -4,17 +4,17 @@ title: InvenTree Admin Settings ## Admin Settings -InvenTree ships with a lot of dynmaic settings. While [config file settings](../start/config.md) require access to the webserver on which InvenTree is hosted these can be changed by all admins of the server. +InvenTree ships with a lot of dynamic settings. While [config file settings](../start/config.md) require access to the webserver on which InvenTree is hosted these can be changed by all admins of the server. ### User Settings -Change how InvenTree apears to the individual user and configure login and user data. +Change how InvenTree appears to the individual user and configure login and user data. ### Global Settings #### Login Settings -Change how logins, password-forgt, signups are handled. +Change how logins, password-forgot, signups are handled. | Settings Name | Type | Description | Default | | --- | --- | --- | --- | diff --git a/docs/start/config.md b/docs/start/config.md index 21e99b6..e2fce84 100644 --- a/docs/start/config.md +++ b/docs/start/config.md @@ -144,7 +144,7 @@ The login-experience can be altered with the following settings: ### Authentication Backends -Custom authentication backends can be used by specifying them here. These can for exampel be used to add [LDAP / AD login](https://django-auth-ldap.readthedocs.io/en/latest/) to InvenTree +Custom authentication backends can be used by specifying them here. These can for example be used to add [LDAP / AD login](https://django-auth-ldap.readthedocs.io/en/latest/) to InvenTree ## Other Options From 2f0093740e22568aaff224d3bd240be011a5af3b Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Thu, 7 Oct 2021 11:02:30 +0200 Subject: [PATCH 11/11] fix table --- docs/start/config.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/start/config.md b/docs/start/config.md index e2fce84..f7a1c5b 100644 --- a/docs/start/config.md +++ b/docs/start/config.md @@ -137,6 +137,7 @@ If the selected providers need additional settings they must be added as dicts u ### Login Options The login-experience can be altered with the following settings: + | Environment Variable | Settings File | Description | Default | | --- | --- | --- | --- | | INVENTREE_LOGIN_CONFIRM_DAYS | login_confirm_days | Duration for which confirmation links are valid | 3 |