WIP kanidm container setup for simpler testing than going through my production setup
This commit is contained in:
parent
91356fb0d7
commit
f2deb35e69
|
@ -6,16 +6,16 @@ use openidconnect::core::{
|
|||
};
|
||||
use openidconnect::AuthorizationCode;
|
||||
use openidconnect::{
|
||||
AccessTokenHash, ClientId, ClientSecret, CsrfToken, IssuerUrl, Nonce, PkceCodeChallenge,
|
||||
RedirectUrl, Scope,
|
||||
AccessTokenHash, ClientId, CsrfToken, IssuerUrl, Nonce, PkceCodeChallenge, RedirectUrl, Scope,
|
||||
};
|
||||
|
||||
use openidconnect::reqwest::http_client;
|
||||
|
||||
const ISSUER_URL: &str = "https://idm.h.lyte.dev/oauth2/openid/yourcloud-dev";
|
||||
const CLIENT_ID: &str = "client_id";
|
||||
const CLIENT_SECRET: &str = "client_secret";
|
||||
const CLIENT_ID: &str = "yourcloud-dev";
|
||||
// const CLIENT_SECRET: &str = "client_secret";
|
||||
const REDIRECT_URL: &str = "http://localhost:3000/oauth2/handler";
|
||||
const SCOPES: [&str; 3] = ["read", "write", "email"];
|
||||
|
||||
fn main() -> Result<()> {
|
||||
// Use OpenID Connect Discovery to fetch the provider metadata.
|
||||
|
@ -28,7 +28,8 @@ fn main() -> Result<()> {
|
|||
let client = CoreClient::from_provider_metadata(
|
||||
provider_metadata,
|
||||
ClientId::new(CLIENT_ID.to_string()),
|
||||
Some(ClientSecret::new(CLIENT_SECRET.to_string())),
|
||||
// Some(ClientSecret::new(CLIENT_SECRET.to_string())),
|
||||
None,
|
||||
)
|
||||
// Set the URL the user will be redirected to after the authorization process.
|
||||
.set_redirect_uri(RedirectUrl::new(REDIRECT_URL.to_string())?);
|
||||
|
@ -37,18 +38,18 @@ fn main() -> Result<()> {
|
|||
let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
|
||||
|
||||
// Generate the full authorization URL.
|
||||
let (auth_url, _csrf_token, nonce) = client
|
||||
.authorize_url(
|
||||
CoreAuthenticationFlow::AuthorizationCode,
|
||||
CsrfToken::new_random,
|
||||
Nonce::new_random,
|
||||
)
|
||||
// Set the desired scopes.
|
||||
.add_scope(Scope::new("read".to_string()))
|
||||
.add_scope(Scope::new("write".to_string()))
|
||||
// Set the PKCE code challenge.
|
||||
.set_pkce_challenge(pkce_challenge)
|
||||
.url();
|
||||
let mut builder = client.authorize_url(
|
||||
CoreAuthenticationFlow::AuthorizationCode,
|
||||
CsrfToken::new_random,
|
||||
Nonce::new_random,
|
||||
);
|
||||
|
||||
for s in SCOPES {
|
||||
builder = builder.add_scope(Scope::new(s.to_string()));
|
||||
}
|
||||
// Set the desired scopes.
|
||||
// Set the PKCE code challenge.
|
||||
let (auth_url, _csrf_token, nonce) = builder.set_pkce_challenge(pkce_challenge).url();
|
||||
|
||||
// This is the URL you should redirect the user to, in order to trigger the authorization
|
||||
// process.
|
||||
|
|
2
config/kanidm/.gitignore
vendored
Normal file
2
config/kanidm/.gitignore
vendored
Normal file
|
@ -0,0 +1,2 @@
|
|||
key.pem
|
||||
chain.pem
|
1
config/kanidm/basic-setup.sh
Normal file
1
config/kanidm/basic-setup.sh
Normal file
|
@ -0,0 +1 @@
|
|||
|
4
config/kanidm/gentls.sh
Executable file
4
config/kanidm/gentls.sh
Executable file
|
@ -0,0 +1,4 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p openssl
|
||||
|
||||
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out chain.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonName"
|
8
config/kanidm/run-in-podman.sh
Executable file
8
config/kanidm/run-in-podman.sh
Executable file
|
@ -0,0 +1,8 @@
|
|||
#!/usr/bin/env bash
|
||||
podman run -itd --rm \
|
||||
-p 8443:8443 \
|
||||
-v "$PWD/server.toml:/data/server.toml" \
|
||||
-v "$PWD/chain.pem:/data/chain.pem" \
|
||||
-v "$PWD/key.pem:/data/key.pem" \
|
||||
--name kanidm \
|
||||
docker.io/kanidm/server:latest
|
6
config/kanidm/server.toml
Normal file
6
config/kanidm/server.toml
Normal file
|
@ -0,0 +1,6 @@
|
|||
bindaddress = "[::]:8443"
|
||||
db_path = "/data/kanidm.db"
|
||||
tls_chain = "/data/chain.pem"
|
||||
tls_key = "/data/key.pem"
|
||||
domain = "localhost"
|
||||
origin = "https://localhost:8443"
|
|
@ -8,3 +8,10 @@ other things you would normally do "in the cloud" from a home server with a very
|
|||
barebones Rust application.
|
||||
|
||||
Probably a huge pipe dream.
|
||||
|
||||
# Authentication
|
||||
|
||||
Currently planning on managing this with `kanidm` as a default, but obviously
|
||||
you bring your own OIDC/OAuth2 setup. Auth is one of those wheels I absolutely
|
||||
hate reinventing. Perhaps `yourcloud` could have a management interface for
|
||||
`kanidm`?
|
||||
|
|
Loading…
Reference in a new issue