oidc-parent/README.md

188 lines
5.7 KiB
Markdown
Raw Normal View History

# CAcert OpenID connect parent project
2022-08-09 16:24:14 +00:00
This repository references several repositories for the CAcert OpenID connect
setup.
## Clone the repository
2022-08-09 16:24:14 +00:00
```shell
2022-07-28 16:35:46 +00:00
git clone --recurse-submodules https://code.cacert.org/cacert/oidc-parent.git
cd oidc-parent
2021-10-24 12:39:05 +00:00
# cause pull, fetch and other git commands to consider submodules
git config submodule.recurse true
```
2022-08-09 16:24:14 +00:00
## Get started
Make sure you have the necessary prerequisites installed (tested on Debian 12
2023-08-06 20:02:05 +00:00
Bookworm) and `~/.local/bin` in your `$PATH` variable:
```shell
sudo apt update
2023-08-07 16:08:19 +00:00
sudo apt install git golang-go make mkcert postgresql python3-pip python3-venv yarnpkg
mkdir -p $HOME/.local/share/virtualenvs ~/.local/bin
python3 -m venv $HOME/.local/share/virtualenvs/ansible
$HOME/.local/share/virtualenvs/ansible/bin/pip install ansible
ln -s $HOME/.local/share/virtualenvs/ansible/bin/ansible* $HOME/.local/bin/
export PATH=$HOME/.local/bin:$PATH
```
*Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or
`.zshenv`.
2023-08-06 18:03:52 +00:00
### Initial Configuration
2023-08-07 16:08:19 +00:00
*Note:* If you want to do everything manually, read on. Otherwise skip to the
ansible or Vagrant options below.
Each of the sub-directories contains instructions for creating or editing a
configuration file and, usually, certificates.
The first that must be performed are the instructions found in the
`hydra_config` sub-directory.
2023-08-06 18:03:52 +00:00
In that one, you must first install Hydra before you continue.
2023-08-07 16:08:19 +00:00
Next, create a certificate and key pair using mkcert, set your database
password, and generate a secret key for Hydra.
2023-08-06 18:03:52 +00:00
Following that, you need to create the Hydra configuration file, hydra.yaml.
2023-08-07 16:08:19 +00:00
Finally, after starting Hydra, you need to create a Hydra Client, using the
command found at the bottom of the README.md in that directory. Save the
2023-08-06 18:03:52 +00:00
values returned from that command.
2023-08-07 16:08:19 +00:00
Next, go in to the `cacert_resources` sub-directory and follow the directions
in that README.md regarding installing nodejs and webpack.
2023-08-06 18:03:52 +00:00
2023-08-07 16:08:19 +00:00
Third, go in to the `oidc_app` sub-directory.
2023-08-06 18:03:52 +00:00
There, you again need to create a certicate and key pair using mkcert.
Create the configuration file, resource_app.toml, using the values created
from the Hydra command described in the hydra_config README.md, and the two
secret keys as described in the current README.md file.
2023-08-07 16:08:19 +00:00
Next, the `oidc_idp` sub-directory.
2023-08-06 18:03:52 +00:00
Again, you will need to create the certificate and key pair using mkcert.
Create the configuration file, idp.toml, using only the a secret key, as
described in the current README.md file.
2023-08-07 16:08:19 +00:00
Finally, change into the `oidc_registration` sub-directory.
2023-08-06 18:03:52 +00:00
There, you will find detailed instructions for certificate creation for
this module.
2023-08-07 16:08:19 +00:00
As well, after creating a secret key, you will create the configuration
2023-08-06 18:03:52 +00:00
file, registration.toml.
### Continuing
At this point, you should have created all of the certificates and configuration files
needed by this system.
### Build the applications
Use `make` to build the web app resources and applications:
### Install the language translation tool
```shell
2022-09-26 08:19:49 +00:00
go install github.com/nicksnyder/go-i18n/v2/goi18n@latest
```
### Build the applications
Use `make` to build the web app resources and applications:
```shell
make
```
## Deployment options
There are two deployment options for the Hydra server and for the custom applications:
1. local deployment
2. Vagrant deployment
You only need one of these options.
Both options use [ansible](https://docs.ansible.com/) to:
- setup the Hydra authorization server
- setup IDP (provides login and consent screens)
- setup demo application
- setup OpenID Connect client registration application
### Local deployment
Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo
application:
```shell
cd deployment
ansible-playbook 01_install_cacert_oidc.yml
```
2023-08-07 16:08:19 +00:00
*Note:* If ansible-playbook fails early in the process with "sudo: a password
is required," then confirm that your user has sudo privileges and execute the
`ansible-playbook` command like:
```shell
ansible-playbook -K 01_install_cacert_oidc.yml
```
### Vagrant setup
2023-08-07 16:08:19 +00:00
Instead of Ansible, you can also use [Vagrant](https://www.vagrantup.com/) with
the libvirt-provider. The included Vagrantfile is configured to apply the
ansible-playbook to the Vagrant managed virtual machine.
2022-09-26 08:19:49 +00:00
```shell
sudo apt install vagrant-libvirt virt-manager libvirt-clients
vagrant up
vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt
sudo update-ca-certificates
2022-09-26 08:19:49 +00:00
```
## Finally
2023-08-07 16:08:19 +00:00
*Note:* You may also want to configure your browser to trust the CA certificate
in `/usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt`. If you do not
add this trust configuration you will get browser warnings for an unknown
certificate authority.
## Testing your local setup
2023-08-07 16:08:19 +00:00
After running `make` and `ansible-playbook`, Hydra and oidc-idp will both be running.
2023-08-07 16:08:19 +00:00
To run the rest of the components, in each of two new terminal windows, execute
`oidc_app/demo-app` and `oidc_registration/cacert-oidc-registration`.
2023-08-06 18:03:52 +00:00
### Test the authorization server
Request the OpenID connect auto discovery information from Hydra
```shell
curl https://hydra.cacert.localhost:4444/.well-known/openid-configuration | python3 -m json.tool
```
This should give you a JSON document with information about the authorization server.
### Test the identity provider
Open
[https://login.cacert.localhost:3000/](https://login.cacert.localhost:3000/)
this should ask you for a CAcert class 3 client certificate and should render a
2023-08-07 16:08:19 +00:00
welcome page with a CAcert logo.
### Test the demo application
2023-08-07 16:08:19 +00:00
Open [https://app.cacert.localhost:4000/](https://app.cacert.localhost:4000/)
to visit the demo application. Login should redirect you to the IDP, request
consent and redirect back to the application.