feat: add hydra-webauthn

defaults/main.yml

@@ -15,6 +15,7 @@ cadoles_pod_hydra_remote_user_v1_package_version: '*'
 cadoles_pod_hydra_passwordless_v1_package_version: '*'
 cadoles_pod_hydra_oidc_v1_package_version: '*'
 cadoles_pod_hydra_ldap_v1_package_version: '*'
+cadoles_pod_hydra_webauthn_v1_package_version: '*'
 
 # Hydra database configuration
 hydra_use_external_database: false
@@ -35,6 +36,7 @@ haproxy_hydra_passwordless_base_path: /auth/passwordless
 haproxy_hydra_saml_base_path: /auth/saml
 haproxy_hydra_oidc_base_path: /auth/oidc
 haproxy_hydra_ldap_base_path: /auth/ldap
+haproxy_hydra_webauthn_base_path: /auth/webauthn
 haproxy_oidc_test_base_path: /auth/test
 
 haproxy_forwarded_proto: https
@@ -102,6 +104,7 @@ hydra_dispatcher_webhook_rules:
       required: false
     sub:
       required: false
+
 # Hydra Passwordless configuration
 
 enable_hydra_passwordless: yes
@@ -307,3 +310,38 @@ hydra_ldap_role_attr: cn
 hydra_ldap_use_tls: false
 hydra_ldap_role_claim: roles
 hydra_ldap_claim_scopes: "name:profile,family_name:profile,given_name:profile,email:email,roles:roles"
+
+# Hydra WebAuthn configuration
+
+enable_hydra_webauthn: false
+hydra_webauthn_api_accounts:
+  - username: admin
+    password: NotSoSecret;21
+hydra_webauthn_relyingparty_id: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
+hydra_webauthn_relyingparty_origins:
+  - "http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
+hydra_webauthn_app_title:
+  fr: WebAuthn
+hydra_webauthn_app_description: 
+  fr: Authentification via clé cryptographique
+hydra_webauthn_app_icon_url: https://webauthn.io/static/images/shield.svg
+hydra_webauthn_identity_provider_id: webauthn
+hydra_webauthn_attributes_rewrite_rules:
+  email:
+    - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
+  email_verified:
+    - "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false"
+  family_name:
+    - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
+  given_name:
+    - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
+  birthdate:
+    - "property_exists(consent.session.id_token, 'birthdate') ? consent.session.id_token.birthdate : null"
+  gender:
+    - "property_exists(consent.session.id_token, 'gender') ? consent.session.id_token.gender : null"
+  birthplace:
+    - "property_exists(consent.session.id_token, 'birthplace') ? consent.session.id_token.birthplace : null"
+  birthcountry:
+    - "property_exists(consent.session.id_token, 'birthcountry') ? consent.session.id_token.birthcountry : null"
+  roles:
+    - "property_exists(consent.session.id_token, 'roles') ? consent.session.id_token.roles : []"