towk/opaal
1
0
Fork 0
mirror of https://github.com/davidallendj/opaal.git synced 2025-12-19 19:17:01 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update README.md about internal IDP

Browse source
This commit is contained in:
David J. Allen 2024-04-18 12:55:16 -06:00
parent b45821e587
commit 2762a95da5
No known key found for this signature in database
GPG key ID: 717C593FF60A2ACC
1 changed files with 48 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

60
README.md
View file

@ -28,12 +28,39 @@ These commands will create a default config, then start the login process. Maybe
- [Gitlab](https://about.gitlab.com/) - [Gitlab](https://about.gitlab.com/)
- [Forgejo](https://forgejo.org/) (fork of Gitea) - [Forgejo](https://forgejo.org/) (fork of Gitea)
The tool is now able to run an internal example identity provider using the `serve` subcommand.
```bash
./opaal serve --config config.yaml
```
This will start a server that allows you to login with `opaal` itself. Currently, it is only has one example user to use for log in. The username and password combination is `ochami:ochami`. It uses the same config file as before with additional parameters set in the config file:
```yaml
server:
...
issuer:
host: "127.0.0.1"
port: 3332
authentication:
clients:
- id: "ochami"
secret: "ochami"
name: "ochami"
issuer: "http://127.0.0.1:3332"
redirect-uris:
- "http://127.0.0.1:3333/oidc/callback"
```
See the [Configuration](#configuration) section for the entire config file.
### Authorization Code Flow ### Authorization Code Flow
`opaal` has the ability to completely execute the authorization code and return an access token from an authorization server using social sign-in. The process works as follows: `opaal` has the ability to completely execute the authorization code and return an access token from an authorization server using social sign-in. The process works as follows:
1. Click the authorization link or navigate to the hosted endpoint in your browser (127.0.0.1:3333 by default) 1. Click the authorization link or navigate to the hosted endpoint in your browser (127.0.0.1:3333 by default)
- Alternatively, you can use a link produced - Alternatively, you can use a link produced
2. Login using identity provider credentials 2. Login using identity provider credentials
3. Authorize application registered with IdP 3. Authorize application registered with IdP
4. IdP redirects to specified redirect URI 4. IdP redirects to specified redirect URI
@ -41,27 +68,29 @@ These commands will create a default config, then start the login process. Maybe
- ...verifying the authenticity of the ID token from identity provider with its JWKS - ...verifying the authenticity of the ID token from identity provider with its JWKS
- ...adds itself as a trusted issuer to the authorization server with it's own JWK - ...adds itself as a trusted issuer to the authorization server with it's own JWK
- ...creates a new signed JWT to send to the authorization server with the `urn:ietf:params:oauth:grant-type:jwt-bearer` grant type - ...creates a new signed JWT to send to the authorization server with the `urn:ietf:params:oauth:grant-type:jwt-bearer` grant type
- ... returns an access token that can be used by services protected by the authorization server - ... returns an access token that can be used by services protected by the authorization server
*After receiving the ID token, the rest of the flow requires the appropriate URLs to be set to continue. *After receiving the ID token, the rest of the flow requires the appropriate URLs to be set to continue.
### Client Credentials Flow ### Client Credentials Flow
`opaal` also has
## Configuration ## Configuration
Here is an example configuration file: Here is an example configuration file:
```yaml ```yaml
version: "0.0.1" version: "0.3.2"
server: server:
host: "127.0.0.1" host: "127.0.0.1"
port: 3333 port: 3333
callback: "/oidc/callback" callback: "/oidc/callback"
issuer:
host: "127.0.0.1"
port: 3332
providers: providers:
opaal: "https://127.0.0.1:3332"
forgejo: "http://127.0.0.1:3000" forgejo: "http://127.0.0.1:3000"
authentication: authentication:
@ -83,7 +112,17 @@ authentication:
client-credentials: client-credentials:
authorization: authorization:
urls: token:
forwarding: false
refresh: false
duration: 16h
scope:
- smd.read
key-path: ./keys
endpoints:
issuer: http://127.0.0.1:4444
config: http://127.0.0.1:4444/.well-known/openid-configuration
jwks: http://127.0.0.1:4444/.well-known/jwks.json
#identities: http://127.0.0.1:4434/admin/identities #identities: http://127.0.0.1:4434/admin/identities
trusted-issuers: http://127.0.0.1:4445/admin/trust/grants/jwt-bearer/issuers trusted-issuers: http://127.0.0.1:4445/admin/trust/grants/jwt-bearer/issuers
login: http://127.0.0.1:4433/self-service/login/api login: http://127.0.0.1:4433/self-service/login/api
@ -91,17 +130,14 @@ authorization:
authorize: http://127.0.0.1:4444/oauth2/auth authorize: http://127.0.0.1:4444/oauth2/auth
register: http://127.0.0.1:4444/oauth2/register register: http://127.0.0.1:4444/oauth2/register
token: http://127.0.0.1:4444/oauth2/token token: http://127.0.0.1:4444/oauth2/token
clients:
- id: bss
secret: IAMBSS
options: options:
decode-id-token: true
decode-access-token: true
run-once: true run-once: true
open-browser: false open-browser: false
forward: false flow: authorization_code
cache-only: false
verbose: true
``` ```
## Troubleshooting ## Troubleshooting