@ -14,35 +14,51 @@ git config submodule.recurse true
## Get started
- [setup Hydra ](https://code.cacert.org/cacert/oidc-hydra-config/src/branch/main/README.md )
- build CAcert web application resources
- setup IDP (provides login and consent screens)
- setup demo application
- setup OpenID Connect client registration application
## Local development setup
Make sure you have the necessary prerequisites installed (tested on Debian 11
Bullseye) and `~/.local/bin` is in your `$PATH` variable:
Make sure you have the necessary prerequisites installed (tested on Debian 12
Bookworm) and `~/.local/bin` in your `$PATH`
variable:
```shell
sudo apt update
sudo apt install make python3-pip python3-psycopg2 golang-go yarnpkg
python3 -m pip install --user -U pip
python3 -m pip install --user ansible
sudo apt install make mkcert python3-pip python3-venv golang-go yarnpkg
mkdir -p $HOME/.local/share/virtualenvs ~/.local/bin
python3 -m venv $HOME/.local/share/virtualenvs/ansible
$HOME/.local/share/virtualenvs/ansible/bin/pip install ansible
ln -s $HOME/.local/share/virtualenvs/ansible/bin/ansible* $HOME/.local/bin/
export PATH=$HOME/.local/bin:$PATH
```
*Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or
`.zshenv` .
### Build the applications
Use `make` to build the web app resources and applications:
```shell
go install github.com/nicksnyder/go-i18n/v2/goi18n@latest
make
```
## Deployment options
There are two deployment options for the Hydra server and for the custom applications:
1. local deployment
2. Vagrant deployment
You only need one of these options.
Both options use [ansible ](https://docs.ansible.com/ ) to:
- setup the Hydra authorization server
- setup IDP (provides login and consent screens)
- setup demo application
- setup OpenID Connect client registration application
### Local deployment
Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo
application:
@ -58,8 +74,11 @@ then confirm that your user has sudo privileges and execute that command like
ansible-playbook -K 01_install_cacert_oidc.yml
```
### Vagrant setup
## Vagrant setup
You can also use [Vagrant ](https://www.vagrantup.com/ ) with the
libvirt-provider. The included Vagrantfile is configured to apply the
ansible-playbook to the Vagrant managed virtual machine.
```shell
sudo apt install vagrant-libvirt virt-manager libvirt-clients
@ -67,3 +86,28 @@ vagrant up
vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt
sudo update-ca-certificates
```
Note: You may also want to configure your browser to trust the CA certificate
in `/usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt` . If you do not
add this trust configuration you will get browser warnings for an unknown
certificate authority.
## Testing your local setup
### Test the authorization server
Request the OpenID connect auto discovery information from Hydra
```shell
curl https://hydra.cacert.localhost:4444/.well-known/openid-configuration | python3 -m json.tool
```
This should give you a JSON document with information about the authorization server.
### Test the identity provider
Open
[https://login.cacert.localhost:3000/ ](https://login.cacert.localhost:3000/ )
this should ask you for a CAcert class 3 client certificate and should render a
404 page with a CAcert logo.