diff --git a/apps/yourcloud/examples/oidc.rs b/apps/yourcloud/examples/oidc.rs index add8eb1..804d0c7 100644 --- a/apps/yourcloud/examples/oidc.rs +++ b/apps/yourcloud/examples/oidc.rs @@ -6,16 +6,16 @@ use openidconnect::core::{ }; use openidconnect::AuthorizationCode; use openidconnect::{ - AccessTokenHash, ClientId, ClientSecret, CsrfToken, IssuerUrl, Nonce, PkceCodeChallenge, - RedirectUrl, Scope, + AccessTokenHash, ClientId, CsrfToken, IssuerUrl, Nonce, PkceCodeChallenge, RedirectUrl, Scope, }; use openidconnect::reqwest::http_client; const ISSUER_URL: &str = "https://idm.h.lyte.dev/oauth2/openid/yourcloud-dev"; -const CLIENT_ID: &str = "client_id"; -const CLIENT_SECRET: &str = "client_secret"; +const CLIENT_ID: &str = "yourcloud-dev"; +// const CLIENT_SECRET: &str = "client_secret"; const REDIRECT_URL: &str = "http://localhost:3000/oauth2/handler"; +const SCOPES: [&str; 3] = ["read", "write", "email"]; fn main() -> Result<()> { // Use OpenID Connect Discovery to fetch the provider metadata. @@ -28,7 +28,8 @@ fn main() -> Result<()> { let client = CoreClient::from_provider_metadata( provider_metadata, ClientId::new(CLIENT_ID.to_string()), - Some(ClientSecret::new(CLIENT_SECRET.to_string())), + // Some(ClientSecret::new(CLIENT_SECRET.to_string())), + None, ) // Set the URL the user will be redirected to after the authorization process. .set_redirect_uri(RedirectUrl::new(REDIRECT_URL.to_string())?); @@ -37,18 +38,18 @@ fn main() -> Result<()> { let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256(); // Generate the full authorization URL. - let (auth_url, _csrf_token, nonce) = client - .authorize_url( - CoreAuthenticationFlow::AuthorizationCode, - CsrfToken::new_random, - Nonce::new_random, - ) - // Set the desired scopes. - .add_scope(Scope::new("read".to_string())) - .add_scope(Scope::new("write".to_string())) - // Set the PKCE code challenge. - .set_pkce_challenge(pkce_challenge) - .url(); + let mut builder = client.authorize_url( + CoreAuthenticationFlow::AuthorizationCode, + CsrfToken::new_random, + Nonce::new_random, + ); + + for s in SCOPES { + builder = builder.add_scope(Scope::new(s.to_string())); + } + // Set the desired scopes. + // Set the PKCE code challenge. + let (auth_url, _csrf_token, nonce) = builder.set_pkce_challenge(pkce_challenge).url(); // This is the URL you should redirect the user to, in order to trigger the authorization // process. diff --git a/config/kanidm/.gitignore b/config/kanidm/.gitignore new file mode 100644 index 0000000..3b0bc23 --- /dev/null +++ b/config/kanidm/.gitignore @@ -0,0 +1,2 @@ +key.pem +chain.pem diff --git a/config/kanidm/basic-setup.sh b/config/kanidm/basic-setup.sh new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/config/kanidm/basic-setup.sh @@ -0,0 +1 @@ + diff --git a/config/kanidm/gentls.sh b/config/kanidm/gentls.sh new file mode 100755 index 0000000..261f6e4 --- /dev/null +++ b/config/kanidm/gentls.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p openssl + +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out chain.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonName" diff --git a/config/kanidm/run-in-podman.sh b/config/kanidm/run-in-podman.sh new file mode 100755 index 0000000..bd47eb4 --- /dev/null +++ b/config/kanidm/run-in-podman.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +podman run -itd --rm \ + -p 8443:8443 \ + -v "$PWD/server.toml:/data/server.toml" \ + -v "$PWD/chain.pem:/data/chain.pem" \ + -v "$PWD/key.pem:/data/key.pem" \ + --name kanidm \ + docker.io/kanidm/server:latest diff --git a/config/kanidm/server.toml b/config/kanidm/server.toml new file mode 100644 index 0000000..1ccc1fe --- /dev/null +++ b/config/kanidm/server.toml @@ -0,0 +1,6 @@ +bindaddress = "[::]:8443" +db_path = "/data/kanidm.db" +tls_chain = "/data/chain.pem" +tls_key = "/data/key.pem" +domain = "localhost" +origin = "https://localhost:8443" diff --git a/readme.md b/readme.md index c2cc284..5b3eff6 100644 --- a/readme.md +++ b/readme.md @@ -8,3 +8,10 @@ other things you would normally do "in the cloud" from a home server with a very barebones Rust application. Probably a huge pipe dream. + +# Authentication + +Currently planning on managing this with `kanidm` as a default, but obviously +you bring your own OIDC/OAuth2 setup. Auth is one of those wheels I absolutely +hate reinventing. Perhaps `yourcloud` could have a management interface for +`kanidm`?