feat: add hydra-webauthn

This commit is contained in:
wpetit 2023-12-04 09:22:04 +01:00
parent 4133892e27
commit 03d6e9dcd7
9 changed files with 117 additions and 0 deletions

View File

@ -15,6 +15,7 @@ cadoles_pod_hydra_remote_user_v1_package_version: '*'
cadoles_pod_hydra_passwordless_v1_package_version: '*'
cadoles_pod_hydra_oidc_v1_package_version: '*'
cadoles_pod_hydra_ldap_v1_package_version: '*'
cadoles_pod_hydra_webauthn_v1_package_version: '*'
# Hydra database configuration
hydra_use_external_database: false
@ -35,6 +36,7 @@ haproxy_hydra_passwordless_base_path: /auth/passwordless
haproxy_hydra_saml_base_path: /auth/saml
haproxy_hydra_oidc_base_path: /auth/oidc
haproxy_hydra_ldap_base_path: /auth/ldap
haproxy_hydra_webauthn_base_path: /auth/webauthn
haproxy_oidc_test_base_path: /auth/test
haproxy_forwarded_proto: https
@ -102,6 +104,7 @@ hydra_dispatcher_webhook_rules:
required: false
sub:
required: false
# Hydra Passwordless configuration
enable_hydra_passwordless: yes
@ -307,3 +310,38 @@ hydra_ldap_role_attr: cn
hydra_ldap_use_tls: false
hydra_ldap_role_claim: roles
hydra_ldap_claim_scopes: "name:profile,family_name:profile,given_name:profile,email:email,roles:roles"
# Hydra WebAuthn configuration
enable_hydra_webauthn: false
hydra_webauthn_api_accounts:
- username: admin
password: NotSoSecret;21
hydra_webauthn_relyingparty_id: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
hydra_webauthn_relyingparty_origins:
- "http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
hydra_webauthn_app_title:
fr: WebAuthn
hydra_webauthn_app_description:
fr: Authentification via clé cryptographique
hydra_webauthn_app_icon_url: https://webauthn.io/static/images/shield.svg
hydra_webauthn_identity_provider_id: webauthn
hydra_webauthn_attributes_rewrite_rules:
email:
- "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
email_verified:
- "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false"
family_name:
- "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
given_name:
- "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
birthdate:
- "property_exists(consent.session.id_token, 'birthdate') ? consent.session.id_token.birthdate : null"
gender:
- "property_exists(consent.session.id_token, 'gender') ? consent.session.id_token.gender : null"
birthplace:
- "property_exists(consent.session.id_token, 'birthplace') ? consent.session.id_token.birthplace : null"
birthcountry:
- "property_exists(consent.session.id_token, 'birthcountry') ? consent.session.id_token.birthcountry : null"
roles:
- "property_exists(consent.session.id_token, 'roles') ? consent.session.id_token.roles : []"

View File

@ -54,6 +54,13 @@
become: true
when: not install_only
- name: Restart cadoles-pod-hydra-webauthn-v1
service:
name: cadoles-pod-hydra-webauthn-v1
state: restarted
become: true
when: not install_only
- name: Restart cadoles-pod-goweb-oidc-v1
service:
name: cadoles-pod-goweb-oidc-v1

25
tasks/hydra-webauthn.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: Install cadoles-pod-hydra-webauthn-v1 package
ansible.builtin.apt:
name:
- "cadoles-pod-hydra-webauthn-v1={{ cadoles_pod_hydra_webauthn_v1_package_version }}"
update_cache: yes
state: present
become: true
- name: Create data directory
file:
path: /var/lib/cadoles-pod-webauthn-v1/data
state: directory
- name: Configure cadoles-pod-hydra-webauthn-v1
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- src: cadoles-pod-hydra-webauthn-v1.conf.j2
dest: /etc/cadoles-pod-hydra-webauthn-v1.conf
notify:
- Restart cadoles-pod-hydra-webauthn-v1
become: true

View File

@ -101,6 +101,10 @@
ansible.builtin.include_tasks: hydra-ldap.yml
when: enable_hydra_ldap
- name: Configure WebAuthn authentification if enabled
ansible.builtin.include_tasks: hydra-webauthn.yml
when: enable_hydra_webauthn
- name: Start OIDC Test app if enabled
ansible.builtin.include_tasks: start-oidc-test.yml
when: enable_oidc_test_app and not install_only

View File

@ -7,6 +7,7 @@
with_items:
- client_id: "{{ oidc_test_app_client_id }}"
client_secret: "{{ oidc_test_app_client_secret }}"
client_uri: "{{ oidc_test_app_public_base_url }}"
client_name: "OIDC Test"
redirect_uris: ["{{ oidc_test_app_public_base_url }}/oauth2/callback"]
post_logout_redirect_uris: ["{{ oidc_test_app_public_base_url }}"]

View File

@ -0,0 +1,12 @@
# {{ ansible_managed }}
PODMAN_ARGS="\
-p 127.0.0.1:3006:3000 \
--network=slirp4netns:allow_host_loopback=true \
--replace --name 'cadoles-pod-hydra-webauthn-v1' \
--tz=local \
-e 'HYDRA_WEBAUTHN_HTTP_BASE_URL={{ haproxy_public_base_url }}/auth/webauthn' \
-e 'HYDRA_WEBAUTHN_HYDRA_BASE_URL=http://10.0.2.2:3000' \
-e 'HYDRA_WEBAUTHN_WEBAUTHN_RELYINGPARTY_ID={{ hydra_webauthn_relyingparty_id }}' \
-e 'HYDRA_WEBAUTHN_WEBAUTHN_RELYINGPARTY_ORIGINS={{ hydra_webauthn_relyingparty_origins | join(',') }}' \
-v '/var/lib/cadoles-pod-webauthn-v1/data:/app/data' \
"

View File

@ -54,6 +54,9 @@ frontend http-in
{% if enable_hydra_ldap %}
acl login_ldap path_beg -i {{ haproxy_hydra_ldap_base_path }}
{% endif %}
{% if enable_hydra_webauthn %}
acl login_webauthn path_beg -i {{ haproxy_hydra_webauthn_base_path }}
{% endif %}
{% if enable_oidc_test_app %}
acl oidc_test path_beg -i {{ haproxy_oidc_test_base_path }}
{% endif %}
@ -73,6 +76,9 @@ frontend http-in
{% if enable_hydra_ldap %}
use_backend hydra_ldap if login_ldap
{% endif %}
{% if enable_hydra_webauthn %}
use_backend hydra_webauthn if login_webauthn
{% endif %}
{% if enable_oidc_test_app %}
use_backend oidc_test if oidc_test
{% endif %}
@ -138,6 +144,15 @@ backend hydra_ldap
server hydra-login-ldap 127.0.0.1:3005 check
{%- endif %}
{% if enable_hydra_webauthn %}
# Backend Hydra WebAuthn
backend hydra_webauthn
balance roundrobin
http-request set-path %[path,regsub(^{{ haproxy_hydra_webauthn_base_path }},)]
http-request set-header X-Forwarded-Prefix {{ haproxy_hydra_webauthn_base_path }}
server hydra-login-ldap 127.0.0.1:3006 check
{%- endif %}
{% if enable_oidc_test_app %}
backend oidc_test
balance roundrobin

View File

@ -8,6 +8,7 @@
"post_logout_redirect_uris": {{ item.post_logout_redirect_uris | default([]) | to_json }},
"redirect_uris": {{ item.redirect_uris | default([]) | to_json }},
"response_types": {{ item.response_types | default(["code"]) | to_json }},
"client_uri": {{ item.client_uri | default("") | to_json }},
"logo_uri": {{ item.logo_uri | default("") | to_json }},
"scope": {{ item.scope | default("openid profile email webhook") | to_json }},
"token_endpoint_auth_method": {{ item.token_endpoint_auth_method | default("client_secret_post") | to_json }}

View File

@ -64,6 +64,20 @@ hydra:
logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_ldap_base_path }}/auth/logout"
attributes_rewrite_configuration: {{ hydra_ldap_attributes_rewrite_configuration | default({}) | to_json }}
icon_url: "{{ hydra_ldap_app_icon_url }}"
{% endif %}
{% if enable_hydra_webauthn %}
- id: {{ hydra_webauthn_identity_provider_id | default("webauthn") }}
title:
fr: "{{ hydra_webauthn_app_title.fr }}"
en: "{{ hydra_webauthn_app_title.en | default(hydra_webauthn_app_title.fr) }}"
description:
fr: "{{ hydra_webauthn_app_description.fr }}"
en: "{{ hydra_webauthn_app_description.en | default(hydra_webauthn_app_description.fr) }}"
login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/login"
consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/consent"
logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/logout"
attributes_rewrite_configuration: {{ hydra_webauthn_attributes_rewrite_configuration | default({}) | to_json }}
icon_url: "{{ hydra_webauthn_app_icon_url }}"
{% endif %}
webhook:
enabled: {{ hydra_dispatcher_webhook }}