OpenID Connect Identity Provider (Login and Consent part) using client certificate authentication and ORY Hydra
Find a file
2021-09-19 19:54:00 +02:00
cmd Extract startServer method from main() 2021-09-19 19:54:00 +02:00
handlers Initial IDP version 2021-09-11 13:35:15 +02:00
models Initial IDP version 2021-09-11 13:35:15 +02:00
services Initial IDP version 2021-09-11 13:35:15 +02:00
templates Initial IDP version 2021-09-11 13:35:15 +02:00
.gitignore Initial IDP version 2021-09-11 13:35:15 +02:00
active.de.toml Initial IDP version 2021-09-11 13:35:15 +02:00
active.en.toml Initial IDP version 2021-09-11 13:35:15 +02:00
go.mod Initial IDP version 2021-09-11 13:35:15 +02:00
go.sum Initial IDP version 2021-09-11 13:35:15 +02:00
README.md Initial IDP version 2021-09-11 13:35:15 +02:00

CAcert OAuth2 / OpenID Connect IDP

This repository contains an implementation for an identity provider. ORY Hydra is used for the actual OAuth2 / OpenID Connect operations. The implementation in this repository provides the end user UI components that are required by Hydra to allow login and consent.

The code in this repository is licensed under the terms of the Apache License Version 2.0.

Copyright © 2020, 2021 Jan Dittberner

Setup

Certificates

You need a set of certificates for the IDP. You can use the Test CA created by the setup_test_ca.sh script from the CAcert developer setup repository like this:

  1. create signing requests

    mkdir certs
    cd certs
    openssl req -new -newkey rsa:3072 -nodes \
        -keyout idp.cacert.localhost.key \
        -out idp.cacert.localhost.csr.pem \
        -subj /CN=idp.cacert.localhost \
        -addext subjectAltName=DNS:idp.cacert.localhost,DNS:login.cacert.localhost
    cp *.csr.pem $PATH_TO_DEVSETUP_TESTCA/
    
  2. Use the CA to sign the certificates

    pushd $PATH_TO_DEVSETUP_TESTCA/
    openssl ca -config ca.cnf -name class3_ca -extensions server_ext \
        -in idp.cacert.localhost.csr.pem \
        -out idp.cacert.localhost.crt.pem -days 365
    popd
    cp $PATH_TO_DEVSETUP_TESTCA/idp.cacert.localhost.crt.pem .
    
  3. Copy CA certificate for client certificates

    openssl x509 -in $PATH_TO_DEVSETUP_TESTCA/class3/ca.crt.pem \
        -out client_ca.pem
    

Configure IDP

The Identity Provider application (IDP) requires a strong random key for its CSRF cookie. You can generate such a key using the following openssl command:

openssl rand -base64 32

Use this value to create idp.toml:

[security]
csrf.key = "<32 bytes of base64 encoded data>"

Start

Now you can start the IDP:

go run cmd/idp.go

Translations

This application uses go-i18n for internationalization (i18n) support.

The translation workflow needs the go18n binary which can be installed via

go get -u  github.com/nicksnyder/go-i18n/v2/goi18n

To extract new messages from the code run

goi18n extract .

Then use

goi18n merge active.*.toml

to create TOML files for translation as translate.<locale>.toml. After translating the messages run

goi18n merge active.*.toml translate.*.toml

to merge the messages back into the active translation files. To add a new language you need to add the language code to the languages configuration option (default is defined in the configmap in cmd/idp.go).