Skip to main content

How to setup OAuth

The oauth.json need to be mounted from your windmill server instances. On the docker-compose.yml, this would correspond to uncommenting thoese 2 lines and have an oauth.json file in the same folder as the docker-compose.yml.

The oauth.json has the following structure:

{
  "<integration>": {
    "id": "...",
    "secret": "..."
  },
  ....
}

Google login

Create Google OAuth keys

First, you need to create a Google OAuth Client:

  • Go to https://console.developers.google.com/apis/credentials.
  • Click "Create Credentials", then click "OAuth Client ID" in the drop-down menu.
  • Enter the following:
    • Application Type: Web Application
    • Name: Windmill
    • Authorized Redirect URLs: https://<YOUR_INSTANCE>/login_callback/google
  • Click Create.
  • Copy the Client ID and Client Secret from the "OAuth Client" modal.
  • Edit your oauth.json to look like:
{
  "google": {
    "id": "<CLIENT_ID>",
    "secret": "<CLIENT_SECRET>",
    "allowed_domains": ["windmill.dev"] //restrict a client OAuth login to some domains
  }
}

Slack

  1. Create a new slack app at https://api.slack.com/apps?new_app=1

Your app manifest shoud look like this, replacing <YOUR INSTANCE URL> in 2 places.

display_information:
  name: Windmill
  description: windmill.dev slackbot and oauth integration
  background_color: "#3b82f6"
  long_description: The Windmill app allows to use command to run jobs inside Windmill as well as receiving message as the Windmill app. The windmill app pairs a slack workspace with a windmill workspace. It must be installed from within the settings of a windmill workspace.
features:
  app_home:
    home_tab_enabled: true
    messages_tab_enabled: true
    messages_tab_read_only_enabled: true
  bot_user:
    display_name: Windmill
    always_online: true
  slash_commands:
    - command: /windmill
      url: <YOUR INSTANCE URL>/api/oauth/slack_command
      description: Trigger the script set in your workspace settings for slack
      usage_hint: the text that will be passed to the script
      should_escape: false
oauth_config:
  redirect_urls:
    - <YOUR INSTANCE URL>
  scopes:
    user:
      - chat:write
      - admin
      - channels:write
    bot:
      - chat:write
      - chat:write.public
      - channels:join
      - commands
settings:
  org_deploy_enabled: false
  socket_mode_enabled: false
  token_rotation_enabled: false
{
  ...
  "slack": {
    "id": "<CLIENT_ID>",
    "secret": "<CLIENT_SECRET>"
  }
}

Keycloak

Setup your realm in Keycload then add the following to your oauth.json:

{
    "keycloak_<realm>": {
        "id": "...",
        "secret": "...",
        "connect_config": {
            "auth_url": "https://.../realms/<realm>/protocol/openid-connect/auth",
            "token_url": "https://.../realms/<realm>/protocol/openid-connect/token",
            "scopes": ["openid", "offline_access"]
        }
    }
}