WIP kanidm container setup for simpler testing than going through my production setup

This commit is contained in:
Daniel Flanagan 2024-08-07 14:43:25 -05:00
parent 91356fb0d7
commit f2deb35e69
7 changed files with 46 additions and 17 deletions

View file

@ -6,16 +6,16 @@ use openidconnect::core::{
};
use openidconnect::AuthorizationCode;
use openidconnect::{
AccessTokenHash, ClientId, ClientSecret, CsrfToken, IssuerUrl, Nonce, PkceCodeChallenge,
RedirectUrl, Scope,
AccessTokenHash, ClientId, CsrfToken, IssuerUrl, Nonce, PkceCodeChallenge, RedirectUrl, Scope,
};
use openidconnect::reqwest::http_client;
const ISSUER_URL: &str = "https://idm.h.lyte.dev/oauth2/openid/yourcloud-dev";
const CLIENT_ID: &str = "client_id";
const CLIENT_SECRET: &str = "client_secret";
const CLIENT_ID: &str = "yourcloud-dev";
// const CLIENT_SECRET: &str = "client_secret";
const REDIRECT_URL: &str = "http://localhost:3000/oauth2/handler";
const SCOPES: [&str; 3] = ["read", "write", "email"];
fn main() -> Result<()> {
// Use OpenID Connect Discovery to fetch the provider metadata.
@ -28,7 +28,8 @@ fn main() -> Result<()> {
let client = CoreClient::from_provider_metadata(
provider_metadata,
ClientId::new(CLIENT_ID.to_string()),
Some(ClientSecret::new(CLIENT_SECRET.to_string())),
// Some(ClientSecret::new(CLIENT_SECRET.to_string())),
None,
)
// Set the URL the user will be redirected to after the authorization process.
.set_redirect_uri(RedirectUrl::new(REDIRECT_URL.to_string())?);
@ -37,18 +38,18 @@ fn main() -> Result<()> {
let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
// Generate the full authorization URL.
let (auth_url, _csrf_token, nonce) = client
.authorize_url(
let mut builder = client.authorize_url(
CoreAuthenticationFlow::AuthorizationCode,
CsrfToken::new_random,
Nonce::new_random,
)
);
for s in SCOPES {
builder = builder.add_scope(Scope::new(s.to_string()));
}
// Set the desired scopes.
.add_scope(Scope::new("read".to_string()))
.add_scope(Scope::new("write".to_string()))
// Set the PKCE code challenge.
.set_pkce_challenge(pkce_challenge)
.url();
let (auth_url, _csrf_token, nonce) = builder.set_pkce_challenge(pkce_challenge).url();
// This is the URL you should redirect the user to, in order to trigger the authorization
// process.

2
config/kanidm/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
key.pem
chain.pem

View file

@ -0,0 +1 @@

4
config/kanidm/gentls.sh Executable file
View file

@ -0,0 +1,4 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p openssl
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out chain.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonName"

8
config/kanidm/run-in-podman.sh Executable file
View file

@ -0,0 +1,8 @@
#!/usr/bin/env bash
podman run -itd --rm \
-p 8443:8443 \
-v "$PWD/server.toml:/data/server.toml" \
-v "$PWD/chain.pem:/data/chain.pem" \
-v "$PWD/key.pem:/data/key.pem" \
--name kanidm \
docker.io/kanidm/server:latest

View file

@ -0,0 +1,6 @@
bindaddress = "[::]:8443"
db_path = "/data/kanidm.db"
tls_chain = "/data/chain.pem"
tls_key = "/data/key.pem"
domain = "localhost"
origin = "https://localhost:8443"

View file

@ -8,3 +8,10 @@ other things you would normally do "in the cloud" from a home server with a very
barebones Rust application.
Probably a huge pipe dream.
# Authentication
Currently planning on managing this with `kanidm` as a default, but obviously
you bring your own OIDC/OAuth2 setup. Auth is one of those wheels I absolutely
hate reinventing. Perhaps `yourcloud` could have a management interface for
`kanidm`?