feat: add hydra-webauthn

defaults/main.yml

@@ -15,6 +15,7 @@ cadoles_pod_hydra_remote_user_v1_package_version: '*'
 cadoles_pod_hydra_passwordless_v1_package_version: '*'
 cadoles_pod_hydra_oidc_v1_package_version: '*'
 cadoles_pod_hydra_ldap_v1_package_version: '*'
+cadoles_pod_hydra_webauthn_v1_package_version: '*'
 
 # Hydra database configuration
 hydra_use_external_database: false
@@ -35,6 +36,7 @@ haproxy_hydra_passwordless_base_path: /auth/passwordless
 haproxy_hydra_saml_base_path: /auth/saml
 haproxy_hydra_oidc_base_path: /auth/oidc
 haproxy_hydra_ldap_base_path: /auth/ldap
+haproxy_hydra_webauthn_base_path: /auth/webauthn
 haproxy_oidc_test_base_path: /auth/test
 
 haproxy_forwarded_proto: https
@@ -53,11 +55,6 @@ hydra_public_cors_allowed_origins: []
 hydra_log_level: warn
 hydra_log_leak_sensitive_values: no
 
-# Durée de vie des "refresh_token"
-hydra_ttl_refresh_token: "24h"
-
-hydra_bcrypt_cost: 8
-
 # This value should not be changed after first deployment !
 hydra_secrets_seed: "{{ inventory_hostname }}"
 
@@ -107,6 +104,7 @@ hydra_dispatcher_webhook_rules:
       required: false
     sub:
       required: false
+
 # Hydra Passwordless configuration
 
 enable_hydra_passwordless: yes
@@ -171,6 +169,9 @@ hydra_saml_debug: no
 # Niveau de verbosité du service shibboleth-sp
 hydra_saml_sp_log_level: WARN
 
+# Durée de vie des "refresh_token"
+hydra_ttl_refresh_token: "24h"
+
 # Inclure les règles de cartographie des attributs SAML fournis  par défaut par le projet hydra-shibboleth-sp-v3
 hydra_saml_include_sp_default_attributes_mapping: "yes"
 
@@ -228,7 +229,6 @@ oidc_test_app_public_base_url: "{{ haproxy_public_base_url }}{{ haproxy_oidc_tes
 
 enable_hydra_oidc: no
 hydra_oidc_debug: no
-hydra_oidc_internal_port: 8080
 hydra_oidc_hydra_url_error:
 hydra_oidc_base_url:
 hydra_oidc_cookie_path: "{{ haproxy_hydra_oidc_base_path }}"
@@ -310,3 +310,38 @@ hydra_ldap_role_attr: cn
 hydra_ldap_use_tls: false
 hydra_ldap_role_claim: roles
 hydra_ldap_claim_scopes: "name:profile,family_name:profile,given_name:profile,email:email,roles:roles"
+
+# Hydra WebAuthn configuration
+
+enable_hydra_webauthn: false
+hydra_webauthn_api_accounts:
+  - username: admin
+    password: NotSoSecret;21
+hydra_webauthn_relyingparty_id: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
+hydra_webauthn_relyingparty_origins:
+  - "http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
+hydra_webauthn_app_title:
+  fr: WebAuthn
+hydra_webauthn_app_description: 
+  fr: Authentification via clé cryptographique
+hydra_webauthn_app_icon_url: https://webauthn.io/static/images/shield.svg
+hydra_webauthn_identity_provider_id: webauthn
+hydra_webauthn_attributes_rewrite_rules:
+  email:
+    - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
+  email_verified:
+    - "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false"
+  family_name:
+    - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
+  given_name:
+    - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
+  birthdate:
+    - "property_exists(consent.session.id_token, 'birthdate') ? consent.session.id_token.birthdate : null"
+  gender:
+    - "property_exists(consent.session.id_token, 'gender') ? consent.session.id_token.gender : null"
+  birthplace:
+    - "property_exists(consent.session.id_token, 'birthplace') ? consent.session.id_token.birthplace : null"
+  birthcountry:
+    - "property_exists(consent.session.id_token, 'birthcountry') ? consent.session.id_token.birthcountry : null"
+  roles:
+    - "property_exists(consent.session.id_token, 'roles') ? consent.session.id_token.roles : []"

handlers/main.yml

@@ -46,7 +46,6 @@
     name: cadoles-pod-hydra-oidc-v1
     state: restarted
   become: true
-  when: not install_only
 
 - name: Restart cadoles-pod-hydra-ldap-v1
   service:
@@ -55,6 +54,13 @@
   become: true
   when: not install_only
 
+- name: Restart cadoles-pod-hydra-webauthn-v1
+  service:
+    name: cadoles-pod-hydra-webauthn-v1
+    state: restarted
+  become: true
+  when: not install_only
+
 - name: Restart cadoles-pod-goweb-oidc-v1
   service:
     name: cadoles-pod-goweb-oidc-v1

sso.schema.yml

@@ -89,10 +89,6 @@ properties:
   hydra_ttl_refresh_token:
     type: string
 
-  hydra_brypt_cost:
-    type: number
-    description: Coût CPU pour calculer des hachages de secret (4-31)
-
   # This value should not be changed after first deployment !
   hydra_secrets_seed:
     type: string

tasks/configure-hydra-sp.yml

@@ -1,21 +0,0 @@
----
-# Simple task to update the config files of cadoles-pod-shibboleth-sp only.
-
-- name: Configure cadoles-pod-shibboleth-sp-v3
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: "{{ item.mode }}"
-  with_items:
-    - src:  cadoles-pod-shibboleth-sp-v3.conf.j2
-      dest: /etc/cadoles-pod-shibboleth-sp-v3.conf
-      mode: u=rw,g=r
-    - src:  shibboleth-attribute-map.inc.xml.j2
-      dest: /etc/shibboleth/attribute-map.inc.xml
-      mode: u=rw,g=r,o=r
-    - src:  shibboleth-attribute-policy.inc.xml.j2
-      dest: /etc/shibboleth/attribute-policy.inc.xml
-      mode: u=rw,g=r,o=r
-  notify:
-    - Restart cadoles-pod-shibboleth-sp-v3
-  become: true

tasks/hydra-webauthn.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Install cadoles-pod-hydra-webauthn-v1 package
+  ansible.builtin.apt:
+    name:
+      - "cadoles-pod-hydra-webauthn-v1={{ cadoles_pod_hydra_webauthn_v1_package_version }}"
+    update_cache: yes
+    state: present
+  become: true
+
+- name: Create data directory
+  file:
+    path: /var/lib/cadoles-pod-webauthn-v1/data
+    state: directory
+
+- name: Configure cadoles-pod-hydra-webauthn-v1
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  with_items:
+    - src:  cadoles-pod-hydra-webauthn-v1.conf.j2
+      dest: /etc/cadoles-pod-hydra-webauthn-v1.conf
+  notify:
+    - Restart cadoles-pod-hydra-webauthn-v1
+  become: true

tasks/main.yml

@@ -101,6 +101,10 @@
   ansible.builtin.include_tasks: hydra-ldap.yml
   when: enable_hydra_ldap
 
+- name: Configure WebAuthn authentification if enabled
+  ansible.builtin.include_tasks: hydra-webauthn.yml
+  when: enable_hydra_webauthn
+
 - name: Start OIDC Test app if enabled
   ansible.builtin.include_tasks: start-oidc-test.yml
   when: enable_oidc_test_app and not install_only

tasks/start-oidc-test.yml

@@ -7,6 +7,7 @@
   with_items:
     - client_id: "{{ oidc_test_app_client_id }}"
       client_secret: "{{ oidc_test_app_client_secret }}"
+      client_uri: "{{ oidc_test_app_public_base_url }}"
       client_name: "OIDC Test"
       redirect_uris: ["{{ oidc_test_app_public_base_url }}/oauth2/callback"]
       post_logout_redirect_uris: ["{{ oidc_test_app_public_base_url }}"]

tasks/update-hydra-remote-user.yml

@@ -1,33 +0,0 @@
----
-# Simple task to update the package/container cadoles-pod-hydra-remote-user only.
-- name: Install hydra-remote-user package
-  ansible.builtin.apt:
-    name:
-      - cadoles-pod-hydra-remote-user-v1={{ cadoles_pod_hydra_remote_user_v1_package_version }}
-    update_cache: yes
-    state: present
-  become: true
-
-- name: Configure cadoles-pod-hydra-remote-user-v1
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: "{{ item.mode }}"
-  with_items:
-    - src:  cadoles-pod-hydra-remote-user-v1.conf.j2
-      dest: /etc/cadoles-pod-hydra-remote-user-v1.conf
-      mode: u=rw,g=r
-    - src:  hydra-remote-user.yml.j2
-      dest: /etc/hydra-remote-user/conf.d/remote-user.yml
-      mode: u=rw,g=r,o=r
-  notify:
-    - Restart cadoles-pod-hydra-remote-user-v1
-  become: true
-
-- name: Configure cadoles-pod-hydra-remote-user-v1 (2)
-  ansible.builtin.copy:
-    src:  hydra-remote-user-v1-apache.conf
-    dest: /etc/hydra-remote-user/apache.conf
-  notify:
-    - Restart cadoles-pod-hydra-remote-user-v1
-  become: true

tasks/update-hydra-sp.yml

@@ -8,5 +8,15 @@
     state: present
   become: true
 
-- name: Configure hydra SP
+- name: Configure cadoles-pod-shibboleth-sp-v3
-  ansible.builtin.include_tasks: configure-hydra-sp.yml
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - src: cadoles-pod-shibboleth-sp-v3.conf.j2
+      dest: /etc/cadoles-pod-shibboleth-sp-v3.conf
+      mode: u=rw,g=r
+  notify:
+    - Restart cadoles-pod-shibboleth-sp-v3
+  become: true

templates/cadoles-pod-hydra-oidc-v1.conf.j2

@@ -4,7 +4,7 @@ PODMAN_ARGS="\
     --replace \
     --network=slirp4netns:allow_host_loopback=true \
     --tz=local \
-    -p 127.0.0.1:3004:{{ hydra_oidc_internal_port | default(8080) }} \
+    -p 127.0.0.1:3004:8080 \
     -e APP_ENV=prod \
     -e 'APP_DEBUG={{ hydra_oidc_debug }}' \
     -e 'HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000' \

templates/cadoles-pod-hydra-v1.conf.j2

@@ -25,6 +25,5 @@ PODMAN_ARGS="\
     {% endif %}
     -e 'HYDRA_SECRETS_SYSTEM={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
     -e 'HYDRA_OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
-    -e 'HYDRA_BCRYPT_COST={{ hydra_bcrypt_cost }}' \
     -v /etc/hydra/clients.d:/etc/hydra/clients.d \
 "

templates/cadoles-pod-hydra-webauthn-v1.conf.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+PODMAN_ARGS="\
+    -p 127.0.0.1:3006:3000 \
+    --network=slirp4netns:allow_host_loopback=true \
+    --replace --name 'cadoles-pod-hydra-webauthn-v1' \
+    --tz=local \
+    -e 'HYDRA_WEBAUTHN_HTTP_BASE_URL={{ haproxy_public_base_url }}/auth/webauthn' \
+    -e 'HYDRA_WEBAUTHN_HYDRA_BASE_URL=http://10.0.2.2:3000' \
+    -e 'HYDRA_WEBAUTHN_WEBAUTHN_RELYINGPARTY_ID={{ hydra_webauthn_relyingparty_id }}' \
+    -e 'HYDRA_WEBAUTHN_WEBAUTHN_RELYINGPARTY_ORIGINS={{ hydra_webauthn_relyingparty_origins | join(',') }}' \
+    -v '/var/lib/cadoles-pod-webauthn-v1/data:/app/data' \
+"

templates/haproxy.cfg.j2

@@ -54,6 +54,9 @@ frontend http-in
 {% if enable_hydra_ldap %}
     acl login_ldap path_beg -i {{ haproxy_hydra_ldap_base_path }}
 {% endif %}
+{% if enable_hydra_webauthn %}
+    acl login_webauthn path_beg -i {{ haproxy_hydra_webauthn_base_path }}
+{% endif %}
 {% if enable_oidc_test_app %}
     acl oidc_test path_beg -i {{ haproxy_oidc_test_base_path }}
 {% endif %}
@@ -73,6 +76,9 @@ frontend http-in
 {% if enable_hydra_ldap %}
     use_backend hydra_ldap if login_ldap
 {% endif %}
+{% if enable_hydra_webauthn %}
+    use_backend hydra_webauthn if login_webauthn
+{% endif %}
 {% if enable_oidc_test_app %}
     use_backend oidc_test if oidc_test
 {% endif %}
@@ -138,6 +144,15 @@ backend hydra_ldap
     server hydra-login-ldap 127.0.0.1:3005 check
 {%- endif %}
 
+{% if enable_hydra_webauthn %}
+# Backend Hydra WebAuthn
+backend hydra_webauthn
+    balance roundrobin
+    http-request set-path %[path,regsub(^{{ haproxy_hydra_webauthn_base_path }},)]
+    http-request set-header X-Forwarded-Prefix {{ haproxy_hydra_webauthn_base_path }}
+    server hydra-login-ldap 127.0.0.1:3006 check
+{%- endif %}
+
 {% if enable_oidc_test_app %}
 backend oidc_test
     balance roundrobin

templates/hydra-client.json.j2

@@ -8,6 +8,7 @@
 	"post_logout_redirect_uris": {{ item.post_logout_redirect_uris | default([]) | to_json }},
 	"redirect_uris": {{ item.redirect_uris | default([]) | to_json }},
 	"response_types": {{ item.response_types | default(["code"]) | to_json }},
+	"client_uri": {{ item.client_uri | default("") | to_json }},
 	"logo_uri": {{ item.logo_uri | default("") | to_json }},
 	"scope": {{ item.scope | default("openid profile email webhook") | to_json }},
 	"token_endpoint_auth_method": {{ item.token_endpoint_auth_method | default("client_secret_post") | to_json }}

templates/hydra-dispatcher-apps.yml.j2

@@ -64,6 +64,20 @@ hydra:
       logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_ldap_base_path }}/auth/logout"
       attributes_rewrite_configuration: {{ hydra_ldap_attributes_rewrite_configuration  | default({}) | to_json }}
       icon_url: "{{ hydra_ldap_app_icon_url }}"
+{% endif %}
+{% if enable_hydra_webauthn %}
+    - id: {{ hydra_webauthn_identity_provider_id | default("webauthn") }}
+      title:
+        fr: "{{ hydra_webauthn_app_title.fr }}"
+        en: "{{ hydra_webauthn_app_title.en | default(hydra_webauthn_app_title.fr)  }}"
+      description:
+        fr: "{{ hydra_webauthn_app_description.fr }}"
+        en: "{{ hydra_webauthn_app_description.en | default(hydra_webauthn_app_description.fr)  }}"
+      login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/login"
+      consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/consent"
+      logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_webauthn_base_path }}/logout"
+      attributes_rewrite_configuration: {{ hydra_webauthn_attributes_rewrite_configuration | default({}) | to_json }}
+      icon_url: "{{ hydra_webauthn_app_icon_url }}"
 {% endif %}
   webhook:
     enabled: {{ hydra_dispatcher_webhook }}