114 lines
2.9 KiB
Markdown
114 lines
2.9 KiB
Markdown
|
# OpenID Connect client registration for CAcert
|
||
|
|
|
||
|
|
This repository contains an implementation for a OAuth2/OpenID Connect client
|
||
|
|
registration application that is meant to be used with [ORY
|
||
|
|
Hydra](https://www.ory.sh/hydra/).
|
||
|
|
|
||
|
|
The code in this repository is licensed under the terms of the Apache License
|
||
|
|
Version 2.0.
|
||
|
|
|
||
|
|
Copyright © 2021 Jan Dittberner
|
||
|
|
|
||
|
|
## Setup
|
||
|
|
|
||
|
|
### Certificates
|
||
|
|
|
||
|
|
You need a set of certificates for the client registration application. You can
|
||
|
|
use the Test CA created by the ``setup_test_ca.sh`` script from the [CAcert
|
||
|
|
developer setup](https://git.dittberner.info/jan/cacert-devsetup) repository
|
||
|
|
like this:
|
||
|
|
|
||
|
|
1. create signing request
|
||
|
|
|
||
|
|
```
|
||
|
|
mkdir certs
|
||
|
|
cd certs
|
||
|
|
openssl req -new -newkey rsa:3072 -nodes \
|
||
|
|
-keyout registration.cacert.localhost.key \
|
||
|
|
-out registration.cacert.localhost.csr.pem \
|
||
|
|
-subj /CN=registration.cacert.localhost \
|
||
|
|
-addext subjectAltName=DNS:registration.cacert.localhost
|
||
|
|
cp *.csr.pem $PATH_TO_DEVSETUP_TESTCA/
|
||
|
|
```
|
||
|
|
|
||
|
|
2. Use the CA to sign the certificates
|
||
|
|
|
||
|
|
```
|
||
|
|
pushd $PATH_TO_DEVSETUP_TESTCA/
|
||
|
|
openssl ca -config ca.cnf -name class3_ca -extensions server_ext \
|
||
|
|
-in registration.cacert.localhost.csr.pem \
|
||
|
|
-out registration.cacert.localhost.crt.pem -days 365
|
||
|
|
popd
|
||
|
|
cp $PATH_TO_DEVSETUP_TESTCA/registration.cacert.localhost.crt.pem .
|
||
|
|
```
|
||
|
|
|
||
|
|
3. Copy CA certificate for client certificates
|
||
|
|
|
||
|
|
```
|
||
|
|
openssl x509 -in $PATH_TO_DEVSETUP_TESTCA/class3/ca.crt.pem \
|
||
|
|
-out client_ca.pem
|
||
|
|
```
|
||
|
|
|
||
|
|
### Configure registration
|
||
|
|
|
||
|
|
The client registration application requires a strong random key for its
|
||
|
|
CSRF cookie. You can generate such a key using the following openssl command:
|
||
|
|
|
||
|
|
```
|
||
|
|
openssl rand -base64 32
|
||
|
|
```
|
||
|
|
|
||
|
|
Use this value and the URL of the Hydra admin API to create
|
||
|
|
`registration.toml`:
|
||
|
|
|
||
|
|
```
|
||
|
|
[security]
|
||
|
|
csrf.key = "<32 bytes of base64 encoded data>"
|
||
|
|
|
||
|
|
[hydra]
|
||
|
|
admin.url = "https://hydra.cacert.localhost:4445/"
|
||
|
|
```
|
||
|
|
|
||
|
|
## Start
|
||
|
|
|
||
|
|
Now you can start Hydra, the IDP and the demo app in 3 terminal windows:
|
||
|
|
|
||
|
|
```
|
||
|
|
go run cmd/registration/main.go
|
||
|
|
```
|
||
|
|
|
||
|
|
Visit https://registration.cacert.localhost:5000/ in a Browser to use the
|
||
|
|
client registration application.
|
||
|
|
|
||
|
|
## Translations
|
||
|
|
|
||
|
|
This application uses [go-i18n](https://github.com/nicksnyder/go-i18n/) for
|
||
|
|
internationalization (i18n) support.
|
||
|
|
|
||
|
|
The translation workflow needs the `go18n` binary which can be installed via
|
||
|
|
|
||
|
|
```
|
||
|
|
go get -u github.com/nicksnyder/go-i18n/v2/goi18n
|
||
|
|
```
|
||
|
|
|
||
|
|
To extract new messages from the code run
|
||
|
|
|
||
|
|
```
|
||
|
|
goi18n extract .
|
||
|
|
```
|
||
|
|
|
||
|
|
Then use
|
||
|
|
|
||
|
|
```
|
||
|
|
goi18n merge active.*.toml
|
||
|
|
```
|
||
|
|
|
||
|
|
to create TOML files for translation as `translate.<locale>.toml`. After translating the messages run
|
||
|
|
|
||
|
|
```
|
||
|
|
goi18n merge active.*.toml translate.*.toml
|
||
|
|
```
|
||
|
|
|
||
|
|
to merge the messages back into the active translation files. To add a new language you need to add the language code
|
||
|
|
to the languages configuration option (default is defined in the configmap in cmd/idp/main.go and cmd/app/main.go).
|