OpenID Connect parent repository for local development
Find a file
Jan Dittberner 7b8bb69bcf Merge pull request 'Updates to README' (#2) from update5 into main
Reviewed-on: #2
Reviewed-by: Jan Dittberner <jandd@cacert.org>
2024-08-06 19:58:31 +00:00
cacert_resources@e6be3d2cf9 Update submodule commit references 2023-08-08 15:26:13 +02:00
deployment Fix localhost ansible setup 2023-08-09 12:44:36 +02:00
hydra_config@6aa5d1de04 Update Hydra setup 2023-08-08 15:36:17 +02:00
oidc_app@be15b18259 Update to new Go, App and IDP versions 2024-05-19 07:12:54 +02:00
oidc_idp@bdf37493d0 Update to new Go, App and IDP versions 2024-05-19 07:12:54 +02:00
.gitignore Complete Vagrant deployment 2023-08-08 15:40:18 +02:00
.gitmodules Remove oidc_registration submodule 2023-08-08 15:47:32 +02:00
Makefile Update to new Go, App and IDP versions 2024-05-19 07:12:54 +02:00
README-extra.md Updated README to show current practice. 2023-08-06 15:54:14 -04:00
README.md Further adjustments to README procedure. 2024-08-06 10:34:49 -04:00
Vagrantfile Complete Vagrant deployment 2023-08-08 15:40:18 +02:00

CAcert OpenID connect parent project

This repository references several repositories for the CAcert OpenID connect setup.

Clone the repository

git clone --recurse-submodules https://code.cacert.org/cacert/oidc-parent.git
cd oidc-parent
# cause pull, fetch and other git commands to consider submodules
git config submodule.recurse true

Get started

Make sure you have the necessary prerequisites installed (tested on Debian 12 Bookworm) and ~/.local/bin in your $PATH variable:

sudo apt update
sudo apt install git golang-go make mkcert postgresql python3-pip python3-venv yarnpkg
mkdir -p $HOME/.local/share/virtualenvs ~/.local/bin
python3 -m venv $HOME/.local/share/virtualenvs/ansible
$HOME/.local/share/virtualenvs/ansible/bin/pip install ansible
ln -s $HOME/.local/share/virtualenvs/ansible/bin/ansible* $HOME/.local/bin/
export PATH=$HOME/.local/bin:$HOME/go/bin:$PATH

Note: It is a good idea to put the PATH export line into your .bashrc or .zshenv.

Initial Configuration

Note: If you want to do everything manually, read on. Otherwise skip to the ansible or Vagrant options below.

Each of the sub-directories contains instructions for creating or editing a configuration file and, usually, certificates.

The first that must be performed are the instructions found in the hydra_config sub-directory.

In that one, you must first install Hydra before you continue.

Next, create a certificate and key pair using mkcert, set your database
password, and generate a secret key for Hydra.

Following that, you need to create the Hydra configuration file, hydra.yaml.

Finally, after starting Hydra, you need to create a Hydra Client, using the
command found at the bottom of the README.md in that directory.  Save the
values returned from that command.

Next, go in to the cacert_resources sub-directory and follow the directions in that README.md regarding installing nodejs and webpack.

Third, go in to the oidc_app sub-directory.

There, you again need to create a certicate and key pair using mkcert.

Create the configuration file, resource_app.toml, using the values created
from the Hydra command described in the hydra_config README.md, and the two
secret keys as described in the current README.md file.

Next, the oidc_idp sub-directory.

Again, you will need to create the certificate and key pair using mkcert.

Create the configuration file, idp.toml, using only the a secret key, as
described in the current README.md file.

Finally, change into the oidc_registration sub-directory.

There, you will find detailed instructions for certificate creation for
this module.

As well, after creating a secret key, you will create the configuration
file, registration.toml.

Continuing

At this point, if you followed the Manual procedure, you should have created all of the certificates and configuration files needed by this system.

Build the applications

Use make to build the web app resources and applications:

Install the language translation tool

go install github.com/nicksnyder/go-i18n/v2/goi18n@latest

Deployment options

Before you continue, you need to make the binaries.

Build the applications

Use make to build the web app resources and applications:

make

Before continuing, you need to install Ansible. You can use the one in the Debian 12 repository. Just Apt-Get Install "ansible".

There are two deployment options for the Hydra server and for the custom applications:

  1. local deployment
  2. Vagrant deployment

You only need one of these options.

  • setup the Hydra authorization server
  • setup IDP (provides login and consent screens)
  • setup demo application
  • setup OpenID Connect client registration application

Local deployment

Use ansible-playbook to deploy Hydra, IDP, Client registration and the demo application:

cd deployment
ansible-playbook 01_install_cacert_oidc.yml

Note: If ansible-playbook fails early in the process with "sudo: a password is required," then confirm that your user has sudo privileges and execute the ansible-playbook command like:

ansible-playbook -K 01_install_cacert_oidc.yml

Vagrant setup

Instead of Ansible, you can also use Vagrant with the libvirt-provider. The included Vagrantfile is configured to apply the ansible-playbook to the Vagrant managed virtual machine.

sudo apt install vagrant-libvirt virt-manager libvirt-clients
vagrant up
CAROOT=$(pwd)/mkcert_ca mkcert -install

The last step installs the mkcert CA certificate in your user's browser trust store.

Testing your local setup

After running make and ansible-playbook, Hydra and oidc-idp will both be running.

To run the rest of the components, in each of two new terminal windows, execute oidc_app/demo-app and oidc_registration/cacert-oidc-registration.

Test the authorization server

Request the OpenID connect auto discovery information from Hydra

curl https://hydra.cacert.localhost:4444/.well-known/openid-configuration | python3 -m json.tool

This should give you a JSON document with information about the authorization server.

Test the identity provider

Open https://login.cacert.localhost:3000/ this should ask you for a CAcert class 3 client certificate and should render a welcome page with a CAcert logo.

Test the demo application

Open https://app.cacert.localhost:4000/ to visit the demo application. Login should redirect you to the IDP, request consent and redirect back to the application.