How to configure OAuth 2.0 authentication for cluster replication in ActiveDebianSync.
Cluster replication supports Token Authentication (default) with a shared secret token configured on all nodes
or OAuth 2.0 Authentication when Client credentials flow using an external OAuth provider
Cluster > Replicationedit config.json with
{ "cluster_enabled": true, "cluster_node_name": "node1", "cluster_port": 9191, "cluster_auth_mode": "oauth", "cluster_oauth_enabled": true, "cluster_oauth_client_id": "activedebiansync-node1", "cluster_oauth_secret": "your-client-secret", "cluster_oauth_token_url": "https://auth.example.com/oauth/token", "cluster_oauth_scopes": "cluster:sync", "cluster_peers": [ { "name": "node2", "address": "192.168.1.101:9191", "enabled": true } ]}
| Field | Type | Default | Description |
|---|---|---|---|
cluster_auth_mode |
string | "token" |
Authentication mode: "token" or "oauth" |
cluster_oauth_enabled |
bool | false |
Enable OAuth authentication |
cluster_oauth_client_id |
string | "" |
OAuth client ID |
cluster_oauth_secret |
string | "" |
OAuth client secret |
cluster_oauth_token_url |
string | "" |
OAuth token endpoint URL |
cluster_oauth_scopes |
string | "cluster:sync" |
OAuth scopes (space or comma separated) |
Your OAuth provider must support the Client Credentials Grant (RFC 6749 Section 4.4).
Example: Keycloak
openid-connectconfidentialhttps://keycloak.example.com/realms/{realm}/protocol/openid-connect/tokenExample: Auth0
https://{tenant}.auth0.com/oauth/tokenExample: Azure AD
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/tokenWhen a node receives a connection with OAuth authentication:
All Nodes Same Credentials
The simplest setup is to use the same OAuth client credentials on all nodes:
Node 1: client_id=cluster-sync, client_secret=shared-secret
Node 2: client_id=cluster-sync, client_secret=shared-secret
Node 3: client_id=cluster-sync, client_secret=shared-secret
This ensures all nodes receive the same access token and can authenticate with each other.
Per-Node Credentials
For enhanced security, each node can have unique credentials:
Node 1: client_id=node1-sync, client_secret=secret1
Node 2: client_id=node2-sync, client_secret=secret2
Node 3: client_id=node3-sync, client_secret=secret3
This requires implementing token introspection at the OAuth provider level for validation.