teamcity-oauth
teamcity-oauth copied to clipboard
pwielgolaski
teamcity oauth2 authentication plugin
= teamcity-oauth image:https://api.bintray.com/packages/pwielgolaski/generic/teamcity-oauth/images/download.svg[link="https://bintray.com/pwielgolaski/generic/teamcity-oauth/_latestVersion"]
oAuth2 authentication plugin
image:./docs/login-screen.png[Login Screen]
= Installation
Grab latest version of plugin from link image:https://api.bintray.com/packages/pwielgolaski/generic/teamcity-oauth/images/download.svg[link="https://bintray.com/pwielgolaski/generic/teamcity-oauth/_latestVersion"] and install it to Teamcity following https://confluence.jetbrains.com/display/TCD10/Installing+Additional+Plugins[https://confluence.jetbrains.com/display/TCD10/Installing+Additional+Plugins]
= Configuration
Plugin support authentication using:
- GitHub
- Bitbucket
- Azure Active Directory
- any custom oAuth server
Login as administrator and go to Administration > Authentication
Switch to advanced mode and add module HTTP-OAUTH.v2.
image:./docs/config-screen.png[Configuration Screen]
You need to specify your client id, client secret and scope.
== Github
If you want to use GitHub you need an application to be created https://github.com/settings/applications/new[https://github.com/settings/applications/new]. Authorization callback URL should be homepage of TeamCity.
You should use the user scope for github
== Github Enterprise . OAuth 2.0 authorization endpoint should be https://git.yourcompany.com/login/oauth/authorize . OAuth 2.0 token endpoint should be https://git.yourcompany.com/login/oauth/access_token . OAuth 2.0 user endpoint should be https://git.yourcompany.com/api/v3/user Note that the api endpoint will be specific to your implication. It could be something like https://api.yourgit.com/user as well . Client Id, Client Secret, and scope are all equivalent of the github applcation above . Also, like above, when you create your github oauth applicaiton, your authorization callback url is just https://teamcity.yourcompany.com/
== Bitbucket
You should use the account scope for Bitbucket
== Google
You should use the profile email scope for Google
== Azure
You should create an application in Azure: https://apps.dev.microsoft.com[https://apps.dev.microsoft.com]. You need to set Redirect URLs to the homepage of TeamCity.
You should use the openid https://graph.microsoft.com/user.read scope for Azure
Note that by default, any Microsoft live account can register with OAuth. To restrict this to a specific Active Directory instance, (find your tenant ID)[https://support.office.com/en-us/article/find-your-office-365-tenant-id-6891b561-a52d-4ade-9f39-b492285e2c9b], select Preset: Custom and use the following endpoints:
Authorization: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize
Token: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
User: https://graph.microsoft.com/v1.0/me
If you don't enable "Allow creating new users on the first login" only users that already exist in Teamcity can login. It means that you need account with the same name as user login name in oauth.
If you specify an "Email Domain", only users whose email is at that domain will be able to log in.
If you specify a value in "Organizations", only users with the specified organizations will be authenticated. You can specify more than one organization by separating them with a comma.
You can decide if you want to hide user/password form on login screen (worth leaving unchecked when you test it).
You can consider to disable also "Allow user registration from the login page" in "Built-in" module.
Save and test out.
Login at your Teamcity host.
= Development
Plugin can be build and deployed by gradle deployToTeamcity
Teamcity instance for testing can be setup by docker-compose up
pwielgolaski