cacert
/
oidc-parent
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '92b6570614'
${ noResults }
oidc-parent/README.md

3.2 KiB
Raw Blame History

CAcert OpenID connect parent project

This repository references several repositories for the CAcert OpenID connect setup.

Clone the repository

git clone --recurse-submodules https://code.cacert.org/cacert/oidc-parent.git
cd oidc-parent
# cause pull, fetch and other git commands to consider submodules
git config submodule.recurse true

Get started

Make sure you have the necessary prerequisites installed (tested on Debian 12 Bookworm) and ~/.local/bin in your $PATH variable:

sudo apt update
sudo apt install make mkcert python3-pip python3-venv golang-go yarnpkg
mkdir -p $HOME/.local/share/virtualenvs ~/.local/bin
python3 -m venv $HOME/.local/share/virtualenvs/ansible
$HOME/.local/share/virtualenvs/ansible/bin/pip install ansible
ln -s $HOME/.local/share/virtualenvs/ansible/bin/ansible* $HOME/.local/bin/
export PATH=$HOME/.local/bin:$PATH

Note: It is a good idea to put the PATH export line into your .bashrc or .zshenv.

Build the applications

Use make to build the web app resources and applications:

go install github.com/nicksnyder/go-i18n/v2/goi18n@latest
make

Deployment options

There are two deployment options for the Hydra server and for the custom applications:

  1. local deployment
  2. Vagrant deployment

You only need one of these options.

Both options use ansible to:

  • setup the Hydra authorization server
  • setup IDP (provides login and consent screens)
  • setup demo application
  • setup OpenID Connect client registration application

Local deployment

Use ansible-playbook to deploy Hydra, IDP, Client registration and the demo application:

cd deployment
ansible-playbook 01_install_cacert_oidc.yml

Note: If ansible-playbook fails early in the process with "sudo: a password is required," then confirm that your user has sudo privileges and execute that command like

ansible-playbook -K 01_install_cacert_oidc.yml

Vagrant setup

You can also use Vagrant with the libvirt-provider. The included Vagrantfile is configured to apply the ansible-playbook to the Vagrant managed virtual machine.

sudo apt install vagrant-libvirt virt-manager libvirt-clients
vagrant up
vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt
sudo update-ca-certificates

Note: You may also want to configure your browser to trust the CA certificate in /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt. If you do not add this trust configuration you will get browser warnings for an unknown certificate authority.

Testing your local setup

Test the authorization server

Request the OpenID connect auto discovery information from Hydra

curl https://hydra.cacert.localhost:4444/.well-known/openid-configuration | python3 -m json.tool

This should give you a JSON document with information about the authorization server.

Test the identity provider

Open https://login.cacert.localhost:3000/ this should ask you for a CAcert class 3 client certificate and should render a 404 page with a CAcert logo.