Skip to content

Commit

Permalink
DOCS-3050: Add fusionauth instructions
Browse files Browse the repository at this point in the history
  • Loading branch information
@npentrel
npentrel committed Jan 22, 2025
1 parent 0e7bee7 commit 697513c
Show file tree
Hide file tree
Showing 2 changed files with 153 additions and 4 deletions.
26 changes: 22 additions & 4 deletions docs/dev/tools/cli.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1061,6 +1061,14 @@ viam organizations list
viam organizations api-key create --org-id=<org-id> [--name=<key-name>]
viam organizations support-email [get|set] --org-id=<org-id> --support-email=<support-email>
viam organizations logo set --org-id=<org-id> --logo-path=<logo-path>
viam organization auth-service [enable|disable] --org-id=<org-id>
viam organization auth-service oauth-app [create|update] --client-authentication [required|] \
--client-name <client-name> --enabled-grants [password|TODO] \
--logout-uri "https://logoipsum.com" --origin-uris https://logoipsum.com \
--pkce [not_required|TODO] --redirect-uris https://logoipsum.com/callback \
--url-validation [allow_wildcards] --org-id <org-id>
viam organization auth-service oauth-app [list] --org-id=<org-id>
viam organization auth-service oauth-app [read|delete] --org-id=<org-id> --client-id <client-id>
```

Examples:
Expand All @@ -1086,21 +1094,31 @@ See [create an organization API key](#create-an-organization-api-key) for more i
| `support-email set` | Set the support email for an organization. | - |
| `logo set` | Upload the logo for an organization from a local file. | - |
| `billing-service get-config` | Get the billing service config for an organization. | - |
| `billing-service enable` | Enable the billing service for an organization. | - |
| `billing-service update` | Update the billing service update for an organization. | - |
| `billing-service disable` | Disable the billing service for an organization. | - |
| `billing-service` | Enable, update, or disable the billing service for an organization. | `enable`, `update`, `disable` |
| `auth-service` | Enable or disable auth-service for OAuth applications. Disabling the auth-service does not delete your OAuth token, it will just take off the custom branding. | `enable`, `disable` |
| `auth-service oauth-app` | List, create, update, read, or delete OAuth applications. | `create`, `update`, `list`, `read`, `delete` |
| `--help` | Return help | - |

##### Named arguments

<!-- prettier-ignore -->
| Argument | Description | Applicable commands | Required? |
| -------- | ----------- | ------------------- | --------- |
| `--org-id` | The organization to perform the command on. | `api-key`, `support-email get`, `support-email set`, `logo set`, `billing-service get-config`, `billing-service enable`, `billing-service update`, `billing-service disable`. | **Required** |
| `--org-id` | The organization to perform the command on. | `api-key`, `support-email get`, `support-email set`, `logo set`, `billing-service get-config`, `billing-service enable`, `billing-service update`, `billing-service disable`, `auth-service enable`, `auth-service disable`, `auth-service oauth-app create`, `auth-service oauth-app update` `auth-service oauth-app list`, `auth-service oauth-app read`, `auth-service oauth-app delete`. | **Required** |
| `--name` | The optional name for the organization API key. If omitted, a name will be auto-generated based on your login info and the current time |`api-key` | Optional |
| `--support-email` | The support email to set for the organization. | `support-email get`, `support-email set` | **Required** |
| `--logo-path` | The support email to set for the organization. | `logo set` | **Required** |
| `--address` | The stringified billing address that follows the pattern: line1, line2 (optional), city, state, zipcode. | `billing-service enable`, `billing-service update` | **Required** |
| `--client-id` | The client ID of the OAuth application. | `auth-service oauth-app read`, `auth-service oauth-app delete`, `auth-service oauth-app update` | **Required |
| `--client-authentication` | The client authentication policy for the OAuth application. Options: `unspecified`, `required`, `not_required`, `not_required_when_using_pkce`. Default: `unspecified`. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
| `--client-name` | The name for the OAuth application. | `auth-service oauth-app create`, `auth-service oauth-app update`| **Required** |
| `--enabled-grants` | Comma-separated enabled grants for the OAuth application. Options: `unspecified`, `refresh_token`, `password`, `implicit`, `device_code`, `authorization_code`. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
| `--logout-uri` | The logout uri for the OAuth application. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
| `--org-id` | The organization ID that is tied to the OAuth application. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
| `--origin-uris` | Comma-separated origin URIs for the OAuth application. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
| `--pkce` | pkce for the OAuth application. Options: `unspecified`, `required`, `not_required`, `not_required_when_using_client_authentication`. Default: `unspecified`. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
| `--redirect-uris` | Comma-separated redirect URIs for the OAuth application. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
| `--url-validation` | URL validation for the OAuth application. Options: `unspecified`, `exact_match`, `allow_wildcards`. Default: `unspecified`. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |

### `packages`

Expand Down
131 changes: 131 additions & 0 deletions docs/operate/control/auth.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
---
title: "Authenticate end users with OAuth"
linkTitle: "OAuth"
weight: 60
layout: "docs"
type: "docs"
description: "Create a branded login screen."
images: ["/general/code.png"]
date: "2025-01-22"
---

If you want to set up a custom login screen, where Viam provides authentication and manages users for you but the branding is yours, follow these steps:

<!-- TODO screenshot of example unbranded login screen -->

## Prerequisites

{{< table >}}
{{% tablestep link="/dev/tools/cli/#organizations" %}}
**1. Add your logo**

Add a logo to be displayed on the login screen for your organization.
Your logo can be up to 200KB in size and must be in PNG format.

```sh {class="command-line" data-prompt="$" data-output="2-10"}
viam organization logo set logo-path=logo.png --org-id <org-id>
Successfully set the logo for organization <org-id> to logo at file-path: logo.png
```

You must have [owner permissions](/manage/manage/rbac/#organization-settings-and-roles) on the organization.

{{% /tablestep %}}
{{% tablestep link="/dev/tools/cli/#organizations" %}}
**2. Add support email**

This is the email that will be shown when Viam sends emails to users on your behalf for email verification, password recovery, and other account related emails.

```sh {class="command-line" data-prompt="$" data-output="2-10"}
viam organization support-email set --support-email [email protected] --org-id <org-id>
Successfully set support email for organization "<org-id>" to "[email protected]"
```

{{% /tablestep %}}
{{< /table >}}

## Set up auth app

{{< table >}}
{{% tablestep link="/dev/tools/cli/#organizations" %}}
**1. Enable authentication**

Enable the authentication service for your organization:

```sh {class="command-line" data-prompt="$" data-output="2-10"}
viam organization auth-service enable --org-id <org-id>
enabled auth service for organization "<org-id>":
```

{{% /tablestep %}}
{{% tablestep link="/dev/tools/cli/#organizations" %}}
**2. Create OAuth app**

Create your OAuth application for your organization:

```sh {class="command-line" data-prompt="$" data-output="6-10"}
viam organization auth-service oauth-app create --client-authentication required \
--client-name "OAuth Test App" --enabled-grants password \
--logout-uri "https://logoipsum.com/logout" --origin-uris https://logoipsum.com \
--pkce not_required --redirect-uris https://logoipsum.com/callback \
--url-validation allow_wildcards --org-id <org-id>
Successfully created OAuth app OAuth Test App with client ID <client-id> and client secret <secret-token>
```

{{% expand "Click to view more information about arguments." %}}

<!-- prettier-ignore -->
| Argument | Description | Required? |
| -------- | ----------- | --------- |
| `--client-authentication` | The client authentication policy for the OAuth application. Options: `unspecified`, `required`, `not_required`, `not_required_when_using_pkce`. Default: `unspecified`. | **Required** |
| `--client-name` | The name for the OAuth application. | **Required** |
| `--enabled-grants` | Comma-separated enabled grants for the OAuth application. Options: `unspecified`, `refresh_token`, `password`, `implicit`, `device_code`, `authorization_code`. | **Required** |
| `--logout-uri` | The logout uri for the OAuth application. | **Required** |
| `--org-id` | The organization ID that is tied to the OAuth application. | **Required** |
| `--origin-uris` | Comma-separated origin URIs for the OAuth application. | **Required** |
| `--pkce` | pkce for the OAuth application. Options: `unspecified`, `required`, `not_required`, `not_required_when_using_client_authentication`. Default: `unspecified`. | **Required** |
| `--redirect-uris` | Comma-separated redirect URIs for the OAuth application. | **Required** |
| `--url-validation` | URL validation for the OAuth application. Options: `unspecified`, `exact_match`, `allow_wildcards`. Default: `unspecified`. | **Required** |

{{% /expand%}}

{{% /tablestep %}}
{{% tablestep link="/dev/tools/cli/#organizations" %}}
**3. See OAuth app**

```sh {class="command-line" data-prompt="$" data-output="2-5,7-20"}
viam organization auth-service oauth-app list --org-id <org-id>
OAuth apps for organization "<org-id>":

- <client-id>

viam organization auth-service oauth-app read --org-id <org-id> --client-id <client-id>
OAuth config for client ID <client-id>:

Client Authentication: required
PKCE (Proof Key for Code Exchange): not_required
URL Validation Policy: allow_wildcards
Logout URL: https://logoipsum.com
Redirect URLs: https://logoipsum.com/callback
Origin URLs: https://logoipsum.com
Enabled Grants: password
```

{{% /tablestep %}}
{{< /table >}}

You can update any value after setup using `viam organization auth-service oauth-app update`.

## Use the generated client ID and secret in your app

Your authentication is built on top of FusionAuth.
To continue, use the generated client secret and client ID with the [Fusion Auth SDKs](https://fusionauth.io/docs/sdks/).

## FAQ

### Can you update the link shown during authentication?

Currently it is not possible to update the link shown during authentication (`auth.viam.com`).

### Can I customize my login screen further?

If you need further customization, please [contact us](mailto:[email protected]).

0 comments on commit 697513c

Please sign in to comment.