feat: add hydra-webauthn

templates/cadoles-pod-hydra-webauthn-v1.conf.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+PODMAN_ARGS="\
+    -p 127.0.0.1:3006:3000 \
+    --network=slirp4netns:allow_host_loopback=true \
+    --replace --name 'cadoles-pod-hydra-webauthn-v1' \
+    --tz=local \
+    -e 'HYDRA_WEBAUTHN_HTTP_BASE_URL={{ haproxy_public_base_url }}/auth/webauthn' \
+    -e 'HYDRA_WEBAUTHN_HYDRA_BASE_URL=http://10.0.2.2:3000' \
+    -e 'HYDRA_WEBAUTHN_WEBAUTHN_RELYINGPARTY_ID={{ hydra_webauthn_relyingparty_id }}' \
+    -e 'HYDRA_WEBAUTHN_WEBAUTHN_RELYINGPARTY_ORIGINS={{ hydra_webauthn_relyingparty_origins | join(',') }}' \
+    -v '/var/lib/cadoles-pod-webauthn-v1/data:/app/data' \
+"

templates/haproxy.cfg.j2

@@ -54,6 +54,9 @@ frontend http-in
 {% if enable_hydra_ldap %}
     acl login_ldap path_beg -i {{ haproxy_hydra_ldap_base_path }}
 {% endif %}
+{% if enable_hydra_webauthn %}
+    acl login_webauthn path_beg -i {{ haproxy_hydra_webauthn_base_path }}
+{% endif %}
 {% if enable_oidc_test_app %}
     acl oidc_test path_beg -i {{ haproxy_oidc_test_base_path }}
 {% endif %}
@@ -73,6 +76,9 @@ frontend http-in
 {% if enable_hydra_ldap %}
     use_backend hydra_ldap if login_ldap
 {% endif %}
+{% if enable_hydra_webauthn %}
+    use_backend hydra_webauthn if login_webauthn
+{% endif %}
 {% if enable_oidc_test_app %}
     use_backend oidc_test if oidc_test
 {% endif %}
@@ -138,6 +144,15 @@ backend hydra_ldap
     server hydra-login-ldap 127.0.0.1:3005 check
 {%- endif %}
 
+{% if enable_hydra_webauthn %}
+# Backend Hydra WebAuthn
+backend hydra_webauthn
+    balance roundrobin
+    http-request set-path %[path,regsub(^{{ haproxy_hydra_webauthn_base_path }},)]
+    http-request set-header X-Forwarded-Prefix {{ haproxy_hydra_webauthn_base_path }}
+    server hydra-login-ldap 127.0.0.1:3006 check
+{%- endif %}
+
 {% if enable_oidc_test_app %}
 backend oidc_test
     balance roundrobin

templates/hydra-client.json.j2

@@ -8,6 +8,7 @@
 	"post_logout_redirect_uris": {{ item.post_logout_redirect_uris | default([]) | to_json }},
 	"redirect_uris": {{ item.redirect_uris | default([]) | to_json }},
 	"response_types": {{ item.response_types | default(["code"]) | to_json }},
+	"client_uri": {{ item.client_uri | default("") | to_json }},
 	"logo_uri": {{ item.logo_uri | default("") | to_json }},
 	"scope": {{ item.scope | default("openid profile email webhook") | to_json }},
 	"token_endpoint_auth_method": {{ item.token_endpoint_auth_method | default("client_secret_post") | to_json }}

templates/hydra-dispatcher-apps.yml.j2

@@ -64,6 +64,20 @@ hydra:
       logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_ldap_base_path }}/auth/logout"
       attributes_rewrite_configuration: {{ hydra_ldap_attributes_rewrite_configuration  | default({}) | to_json }}
       icon_url: "{{ hydra_ldap_app_icon_url }}"
+{% endif %}
+{% if enable_hydra_webauthn %}
+    - id: {{ hydra_webauthn_identity_provider_id | default("webauthn") }}
+      title:
+        fr: "{{ hydra_webauthn_app_title.fr }}"
+        en: "{{ hydra_webauthn_app_title.en | default(hydra_webauthn_app_title.fr)  }}"
+      description:
+        fr: "{{ hydra_webauthn_app_description.fr }}"
+        en: "{{ hydra_webauthn_app_description.en | default(hydra_webauthn_app_description.fr)  }}"
+      login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/login"
+      consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/consent"
+      logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/logout"
+      attributes_rewrite_configuration: {{ hydra_webauthn_attributes_rewrite_configuration | default({}) | to_json }}
+      icon_url: "{{ hydra_webauthn_app_icon_url }}"
 {% endif %}
   webhook:
     enabled: {{ hydra_dispatcher_webhook }}