WIP kanidm container setup for simpler testing than going through my production setup

apps/yourcloud/examples/oidc.rs

@@ -6,16 +6,16 @@ use openidconnect::core::{
 };
 use openidconnect::AuthorizationCode;
 use openidconnect::{
-    AccessTokenHash, ClientId, ClientSecret, CsrfToken, IssuerUrl, Nonce, PkceCodeChallenge,
+    AccessTokenHash, ClientId, CsrfToken, IssuerUrl, Nonce, PkceCodeChallenge, RedirectUrl, Scope,
-    RedirectUrl, Scope,
 };
 
 use openidconnect::reqwest::http_client;
 
 const ISSUER_URL: &str = "https://idm.h.lyte.dev/oauth2/openid/yourcloud-dev";
-const CLIENT_ID: &str = "client_id";
+const CLIENT_ID: &str = "yourcloud-dev";
-const CLIENT_SECRET: &str = "client_secret";
+// const CLIENT_SECRET: &str = "client_secret";
 const REDIRECT_URL: &str = "http://localhost:3000/oauth2/handler";
+const SCOPES: [&str; 3] = ["read", "write", "email"];
 
 fn main() -> Result<()> {
     // Use OpenID Connect Discovery to fetch the provider metadata.
@@ -28,7 +28,8 @@ fn main() -> Result<()> {
     let client = CoreClient::from_provider_metadata(
         provider_metadata,
         ClientId::new(CLIENT_ID.to_string()),
-        Some(ClientSecret::new(CLIENT_SECRET.to_string())),
+        // Some(ClientSecret::new(CLIENT_SECRET.to_string())),
+        None,
     )
     // Set the URL the user will be redirected to after the authorization process.
     .set_redirect_uri(RedirectUrl::new(REDIRECT_URL.to_string())?);
@@ -37,18 +38,18 @@ fn main() -> Result<()> {
     let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
 
     // Generate the full authorization URL.
-    let (auth_url, _csrf_token, nonce) = client
+    let mut builder = client.authorize_url(
-        .authorize_url(
+        CoreAuthenticationFlow::AuthorizationCode,
-            CoreAuthenticationFlow::AuthorizationCode,
+        CsrfToken::new_random,
-            CsrfToken::new_random,
+        Nonce::new_random,
-            Nonce::new_random,
+    );
-        )
+
-        // Set the desired scopes.
+    for s in SCOPES {
-        .add_scope(Scope::new("read".to_string()))
+        builder = builder.add_scope(Scope::new(s.to_string()));
-        .add_scope(Scope::new("write".to_string()))
+    }
-        // Set the PKCE code challenge.
+    // Set the desired scopes.
-        .set_pkce_challenge(pkce_challenge)
+    // Set the PKCE code challenge.
-        .url();
+    let (auth_url, _csrf_token, nonce) = builder.set_pkce_challenge(pkce_challenge).url();
 
     // This is the URL you should redirect the user to, in order to trigger the authorization
     // process.

config/kanidm/.gitignore

@@ -0,0 +1,2 @@
+key.pem
+chain.pem

config/kanidm/basic-setup.sh

@@ -0,0 +1 @@
+

config/kanidm/gentls.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p openssl
+
+openssl req -x509 -newkey rsa:4096 -keyout key.pem -out chain.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonName"

config/kanidm/run-in-podman.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+podman run -itd --rm \
+  -p 8443:8443 \
+  -v "$PWD/server.toml:/data/server.toml" \
+  -v "$PWD/chain.pem:/data/chain.pem" \
+  -v "$PWD/key.pem:/data/key.pem" \
+  --name kanidm \
+  docker.io/kanidm/server:latest

config/kanidm/server.toml

@@ -0,0 +1,6 @@
+bindaddress = "[::]:8443"
+db_path = "/data/kanidm.db"
+tls_chain = "/data/chain.pem"
+tls_key = "/data/key.pem"
+domain = "localhost"
+origin = "https://localhost:8443"

readme.md

@@ -8,3 +8,10 @@ other things you would normally do "in the cloud" from a home server with a very
 barebones Rust application.
 
 Probably a huge pipe dream.
+
+# Authentication
+
+Currently planning on managing this with `kanidm` as a default, but obviously
+you bring your own OIDC/OAuth2 setup. Auth is one of those wheels I absolutely
+hate reinventing. Perhaps `yourcloud` could have a management interface for
+`kanidm`?