Compare commits
2 Commits
master
...
hydra-weba
Author | SHA1 | Date | |
---|---|---|---|
03d6e9dcd7 | |||
4133892e27 |
@ -15,6 +15,7 @@ cadoles_pod_hydra_remote_user_v1_package_version: '*'
|
||||
cadoles_pod_hydra_passwordless_v1_package_version: '*'
|
||||
cadoles_pod_hydra_oidc_v1_package_version: '*'
|
||||
cadoles_pod_hydra_ldap_v1_package_version: '*'
|
||||
cadoles_pod_hydra_webauthn_v1_package_version: '*'
|
||||
|
||||
# Hydra database configuration
|
||||
hydra_use_external_database: false
|
||||
@ -35,6 +36,7 @@ haproxy_hydra_passwordless_base_path: /auth/passwordless
|
||||
haproxy_hydra_saml_base_path: /auth/saml
|
||||
haproxy_hydra_oidc_base_path: /auth/oidc
|
||||
haproxy_hydra_ldap_base_path: /auth/ldap
|
||||
haproxy_hydra_webauthn_base_path: /auth/webauthn
|
||||
haproxy_oidc_test_base_path: /auth/test
|
||||
|
||||
haproxy_forwarded_proto: https
|
||||
@ -53,11 +55,6 @@ hydra_public_cors_allowed_origins: []
|
||||
hydra_log_level: warn
|
||||
hydra_log_leak_sensitive_values: no
|
||||
|
||||
# Durée de vie des "refresh_token"
|
||||
hydra_ttl_refresh_token: "24h"
|
||||
|
||||
hydra_bcrypt_cost: 8
|
||||
|
||||
# This value should not be changed after first deployment !
|
||||
hydra_secrets_seed: "{{ inventory_hostname }}"
|
||||
|
||||
@ -107,6 +104,7 @@ hydra_dispatcher_webhook_rules:
|
||||
required: false
|
||||
sub:
|
||||
required: false
|
||||
|
||||
# Hydra Passwordless configuration
|
||||
|
||||
enable_hydra_passwordless: yes
|
||||
@ -171,6 +169,9 @@ hydra_saml_debug: no
|
||||
# Niveau de verbosité du service shibboleth-sp
|
||||
hydra_saml_sp_log_level: WARN
|
||||
|
||||
# Durée de vie des "refresh_token"
|
||||
hydra_ttl_refresh_token: "24h"
|
||||
|
||||
# Inclure les règles de cartographie des attributs SAML fournis par défaut par le projet hydra-shibboleth-sp-v3
|
||||
hydra_saml_include_sp_default_attributes_mapping: "yes"
|
||||
|
||||
@ -228,7 +229,6 @@ oidc_test_app_public_base_url: "{{ haproxy_public_base_url }}{{ haproxy_oidc_tes
|
||||
|
||||
enable_hydra_oidc: no
|
||||
hydra_oidc_debug: no
|
||||
hydra_oidc_internal_port: 8080
|
||||
hydra_oidc_hydra_url_error:
|
||||
hydra_oidc_base_url:
|
||||
hydra_oidc_cookie_path: "{{ haproxy_hydra_oidc_base_path }}"
|
||||
@ -310,3 +310,38 @@ hydra_ldap_role_attr: cn
|
||||
hydra_ldap_use_tls: false
|
||||
hydra_ldap_role_claim: roles
|
||||
hydra_ldap_claim_scopes: "name:profile,family_name:profile,given_name:profile,email:email,roles:roles"
|
||||
|
||||
# Hydra WebAuthn configuration
|
||||
|
||||
enable_hydra_webauthn: false
|
||||
hydra_webauthn_api_accounts:
|
||||
- username: admin
|
||||
password: NotSoSecret;21
|
||||
hydra_webauthn_relyingparty_id: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
|
||||
hydra_webauthn_relyingparty_origins:
|
||||
- "http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
|
||||
hydra_webauthn_app_title:
|
||||
fr: WebAuthn
|
||||
hydra_webauthn_app_description:
|
||||
fr: Authentification via clé cryptographique
|
||||
hydra_webauthn_app_icon_url: https://webauthn.io/static/images/shield.svg
|
||||
hydra_webauthn_identity_provider_id: webauthn
|
||||
hydra_webauthn_attributes_rewrite_rules:
|
||||
email:
|
||||
- "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
|
||||
email_verified:
|
||||
- "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false"
|
||||
family_name:
|
||||
- "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
|
||||
given_name:
|
||||
- "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
|
||||
birthdate:
|
||||
- "property_exists(consent.session.id_token, 'birthdate') ? consent.session.id_token.birthdate : null"
|
||||
gender:
|
||||
- "property_exists(consent.session.id_token, 'gender') ? consent.session.id_token.gender : null"
|
||||
birthplace:
|
||||
- "property_exists(consent.session.id_token, 'birthplace') ? consent.session.id_token.birthplace : null"
|
||||
birthcountry:
|
||||
- "property_exists(consent.session.id_token, 'birthcountry') ? consent.session.id_token.birthcountry : null"
|
||||
roles:
|
||||
- "property_exists(consent.session.id_token, 'roles') ? consent.session.id_token.roles : []"
|
@ -46,7 +46,6 @@
|
||||
name: cadoles-pod-hydra-oidc-v1
|
||||
state: restarted
|
||||
become: true
|
||||
when: not install_only
|
||||
|
||||
- name: Restart cadoles-pod-hydra-ldap-v1
|
||||
service:
|
||||
@ -55,6 +54,13 @@
|
||||
become: true
|
||||
when: not install_only
|
||||
|
||||
- name: Restart cadoles-pod-hydra-webauthn-v1
|
||||
service:
|
||||
name: cadoles-pod-hydra-webauthn-v1
|
||||
state: restarted
|
||||
become: true
|
||||
when: not install_only
|
||||
|
||||
- name: Restart cadoles-pod-goweb-oidc-v1
|
||||
service:
|
||||
name: cadoles-pod-goweb-oidc-v1
|
||||
|
@ -89,10 +89,6 @@ properties:
|
||||
hydra_ttl_refresh_token:
|
||||
type: string
|
||||
|
||||
hydra_brypt_cost:
|
||||
type: number
|
||||
description: Coût CPU pour calculer des hachages de secret (4-31)
|
||||
|
||||
# This value should not be changed after first deployment !
|
||||
hydra_secrets_seed:
|
||||
type: string
|
||||
|
@ -1,21 +0,0 @@
|
||||
---
|
||||
# Simple task to update the config files of cadoles-pod-shibboleth-sp only.
|
||||
|
||||
- name: Configure cadoles-pod-shibboleth-sp-v3
|
||||
ansible.builtin.template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- src: cadoles-pod-shibboleth-sp-v3.conf.j2
|
||||
dest: /etc/cadoles-pod-shibboleth-sp-v3.conf
|
||||
mode: u=rw,g=r
|
||||
- src: shibboleth-attribute-map.inc.xml.j2
|
||||
dest: /etc/shibboleth/attribute-map.inc.xml
|
||||
mode: u=rw,g=r,o=r
|
||||
- src: shibboleth-attribute-policy.inc.xml.j2
|
||||
dest: /etc/shibboleth/attribute-policy.inc.xml
|
||||
mode: u=rw,g=r,o=r
|
||||
notify:
|
||||
- Restart cadoles-pod-shibboleth-sp-v3
|
||||
become: true
|
25
tasks/hydra-webauthn.yml
Normal file
25
tasks/hydra-webauthn.yml
Normal file
@ -0,0 +1,25 @@
|
||||
---
|
||||
|
||||
- name: Install cadoles-pod-hydra-webauthn-v1 package
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- "cadoles-pod-hydra-webauthn-v1={{ cadoles_pod_hydra_webauthn_v1_package_version }}"
|
||||
update_cache: yes
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: Create data directory
|
||||
file:
|
||||
path: /var/lib/cadoles-pod-webauthn-v1/data
|
||||
state: directory
|
||||
|
||||
- name: Configure cadoles-pod-hydra-webauthn-v1
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- src: cadoles-pod-hydra-webauthn-v1.conf.j2
|
||||
dest: /etc/cadoles-pod-hydra-webauthn-v1.conf
|
||||
notify:
|
||||
- Restart cadoles-pod-hydra-webauthn-v1
|
||||
become: true
|
@ -101,6 +101,10 @@
|
||||
ansible.builtin.include_tasks: hydra-ldap.yml
|
||||
when: enable_hydra_ldap
|
||||
|
||||
- name: Configure WebAuthn authentification if enabled
|
||||
ansible.builtin.include_tasks: hydra-webauthn.yml
|
||||
when: enable_hydra_webauthn
|
||||
|
||||
- name: Start OIDC Test app if enabled
|
||||
ansible.builtin.include_tasks: start-oidc-test.yml
|
||||
when: enable_oidc_test_app and not install_only
|
||||
|
@ -7,6 +7,7 @@
|
||||
with_items:
|
||||
- client_id: "{{ oidc_test_app_client_id }}"
|
||||
client_secret: "{{ oidc_test_app_client_secret }}"
|
||||
client_uri: "{{ oidc_test_app_public_base_url }}"
|
||||
client_name: "OIDC Test"
|
||||
redirect_uris: ["{{ oidc_test_app_public_base_url }}/oauth2/callback"]
|
||||
post_logout_redirect_uris: ["{{ oidc_test_app_public_base_url }}"]
|
||||
|
@ -1,33 +0,0 @@
|
||||
---
|
||||
# Simple task to update the package/container cadoles-pod-hydra-remote-user only.
|
||||
- name: Install hydra-remote-user package
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- cadoles-pod-hydra-remote-user-v1={{ cadoles_pod_hydra_remote_user_v1_package_version }}
|
||||
update_cache: yes
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: Configure cadoles-pod-hydra-remote-user-v1
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- src: cadoles-pod-hydra-remote-user-v1.conf.j2
|
||||
dest: /etc/cadoles-pod-hydra-remote-user-v1.conf
|
||||
mode: u=rw,g=r
|
||||
- src: hydra-remote-user.yml.j2
|
||||
dest: /etc/hydra-remote-user/conf.d/remote-user.yml
|
||||
mode: u=rw,g=r,o=r
|
||||
notify:
|
||||
- Restart cadoles-pod-hydra-remote-user-v1
|
||||
become: true
|
||||
|
||||
- name: Configure cadoles-pod-hydra-remote-user-v1 (2)
|
||||
ansible.builtin.copy:
|
||||
src: hydra-remote-user-v1-apache.conf
|
||||
dest: /etc/hydra-remote-user/apache.conf
|
||||
notify:
|
||||
- Restart cadoles-pod-hydra-remote-user-v1
|
||||
become: true
|
@ -8,5 +8,15 @@
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: Configure hydra SP
|
||||
ansible.builtin.include_tasks: configure-hydra-sp.yml
|
||||
- name: Configure cadoles-pod-shibboleth-sp-v3
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- src: cadoles-pod-shibboleth-sp-v3.conf.j2
|
||||
dest: /etc/cadoles-pod-shibboleth-sp-v3.conf
|
||||
mode: u=rw,g=r
|
||||
notify:
|
||||
- Restart cadoles-pod-shibboleth-sp-v3
|
||||
become: true
|
||||
|
@ -4,7 +4,7 @@ PODMAN_ARGS="\
|
||||
--replace \
|
||||
--network=slirp4netns:allow_host_loopback=true \
|
||||
--tz=local \
|
||||
-p 127.0.0.1:3004:{{ hydra_oidc_internal_port | default(8080) }} \
|
||||
-p 127.0.0.1:3004:8080 \
|
||||
-e APP_ENV=prod \
|
||||
-e 'APP_DEBUG={{ hydra_oidc_debug }}' \
|
||||
-e 'HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000' \
|
||||
|
@ -25,6 +25,5 @@ PODMAN_ARGS="\
|
||||
{% endif %}
|
||||
-e 'HYDRA_SECRETS_SYSTEM={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
|
||||
-e 'HYDRA_OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
|
||||
-e 'HYDRA_BCRYPT_COST={{ hydra_bcrypt_cost }}' \
|
||||
-v /etc/hydra/clients.d:/etc/hydra/clients.d \
|
||||
"
|
||||
|
12
templates/cadoles-pod-hydra-webauthn-v1.conf.j2
Normal file
12
templates/cadoles-pod-hydra-webauthn-v1.conf.j2
Normal file
@ -0,0 +1,12 @@
|
||||
# {{ ansible_managed }}
|
||||
PODMAN_ARGS="\
|
||||
-p 127.0.0.1:3006:3000 \
|
||||
--network=slirp4netns:allow_host_loopback=true \
|
||||
--replace --name 'cadoles-pod-hydra-webauthn-v1' \
|
||||
--tz=local \
|
||||
-e 'HYDRA_WEBAUTHN_HTTP_BASE_URL={{ haproxy_public_base_url }}/auth/webauthn' \
|
||||
-e 'HYDRA_WEBAUTHN_HYDRA_BASE_URL=http://10.0.2.2:3000' \
|
||||
-e 'HYDRA_WEBAUTHN_WEBAUTHN_RELYINGPARTY_ID={{ hydra_webauthn_relyingparty_id }}' \
|
||||
-e 'HYDRA_WEBAUTHN_WEBAUTHN_RELYINGPARTY_ORIGINS={{ hydra_webauthn_relyingparty_origins | join(',') }}' \
|
||||
-v '/var/lib/cadoles-pod-webauthn-v1/data:/app/data' \
|
||||
"
|
@ -54,6 +54,9 @@ frontend http-in
|
||||
{% if enable_hydra_ldap %}
|
||||
acl login_ldap path_beg -i {{ haproxy_hydra_ldap_base_path }}
|
||||
{% endif %}
|
||||
{% if enable_hydra_webauthn %}
|
||||
acl login_webauthn path_beg -i {{ haproxy_hydra_webauthn_base_path }}
|
||||
{% endif %}
|
||||
{% if enable_oidc_test_app %}
|
||||
acl oidc_test path_beg -i {{ haproxy_oidc_test_base_path }}
|
||||
{% endif %}
|
||||
@ -73,6 +76,9 @@ frontend http-in
|
||||
{% if enable_hydra_ldap %}
|
||||
use_backend hydra_ldap if login_ldap
|
||||
{% endif %}
|
||||
{% if enable_hydra_webauthn %}
|
||||
use_backend hydra_webauthn if login_webauthn
|
||||
{% endif %}
|
||||
{% if enable_oidc_test_app %}
|
||||
use_backend oidc_test if oidc_test
|
||||
{% endif %}
|
||||
@ -138,6 +144,15 @@ backend hydra_ldap
|
||||
server hydra-login-ldap 127.0.0.1:3005 check
|
||||
{%- endif %}
|
||||
|
||||
{% if enable_hydra_webauthn %}
|
||||
# Backend Hydra WebAuthn
|
||||
backend hydra_webauthn
|
||||
balance roundrobin
|
||||
http-request set-path %[path,regsub(^{{ haproxy_hydra_webauthn_base_path }},)]
|
||||
http-request set-header X-Forwarded-Prefix {{ haproxy_hydra_webauthn_base_path }}
|
||||
server hydra-login-ldap 127.0.0.1:3006 check
|
||||
{%- endif %}
|
||||
|
||||
{% if enable_oidc_test_app %}
|
||||
backend oidc_test
|
||||
balance roundrobin
|
||||
|
@ -8,6 +8,7 @@
|
||||
"post_logout_redirect_uris": {{ item.post_logout_redirect_uris | default([]) | to_json }},
|
||||
"redirect_uris": {{ item.redirect_uris | default([]) | to_json }},
|
||||
"response_types": {{ item.response_types | default(["code"]) | to_json }},
|
||||
"client_uri": {{ item.client_uri | default("") | to_json }},
|
||||
"logo_uri": {{ item.logo_uri | default("") | to_json }},
|
||||
"scope": {{ item.scope | default("openid profile email webhook") | to_json }},
|
||||
"token_endpoint_auth_method": {{ item.token_endpoint_auth_method | default("client_secret_post") | to_json }}
|
||||
|
@ -64,6 +64,20 @@ hydra:
|
||||
logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_ldap_base_path }}/auth/logout"
|
||||
attributes_rewrite_configuration: {{ hydra_ldap_attributes_rewrite_configuration | default({}) | to_json }}
|
||||
icon_url: "{{ hydra_ldap_app_icon_url }}"
|
||||
{% endif %}
|
||||
{% if enable_hydra_webauthn %}
|
||||
- id: {{ hydra_webauthn_identity_provider_id | default("webauthn") }}
|
||||
title:
|
||||
fr: "{{ hydra_webauthn_app_title.fr }}"
|
||||
en: "{{ hydra_webauthn_app_title.en | default(hydra_webauthn_app_title.fr) }}"
|
||||
description:
|
||||
fr: "{{ hydra_webauthn_app_description.fr }}"
|
||||
en: "{{ hydra_webauthn_app_description.en | default(hydra_webauthn_app_description.fr) }}"
|
||||
login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/login"
|
||||
consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/consent"
|
||||
logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/logout"
|
||||
attributes_rewrite_configuration: {{ hydra_webauthn_attributes_rewrite_configuration | default({}) | to_json }}
|
||||
icon_url: "{{ hydra_webauthn_app_icon_url }}"
|
||||
{% endif %}
|
||||
webhook:
|
||||
enabled: {{ hydra_dispatcher_webhook }}
|
||||
|
Loading…
Reference in New Issue
Block a user