mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-01-06 04:09:40 -06:00
Code Issues Packages Projects Releases Wiki Activity

Rename konnectd to IDP

Browse Source
This commit is contained in:
Ilja Neumann
2021-01-22 17:58:36 +01:00
parent a378f259eb
commit 03cadf304c
172 changed files with 314 additions and 403 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/Makefile
View File

@@ -3,7 +3,7 @@ SHELL := bash
OCIS_MODULES = \
accounts \
glauth \
konnectd \
idp \
ocis \
ocs \
ocis-pkg \

0
docs/extensions/konnectd/.gitignore → docs/extensions/idp/.gitignore vendored
View File

2
docs/extensions/konnectd/_index.md → docs/extensions/idp/_index.md
View File

@@ -2,7 +2,7 @@
title: Konnectd
weight: 20
geekdocRepo: https://github.com/owncloud/ocis
geekdocEditPath: edit/master/docs/extensions/konnectd
geekdocEditPath: edit/master/docs/extensions/idp
geekdocFilePath: _index.md
geekdocCollapseSection: true
---

4
docs/ocis/_index.md
View File

@@ -24,9 +24,9 @@ We run a huge [test suite](https://github.com/owncloud/core/tree/master/tests),
{{< mermaid class="text-center">}}
graph TD
proxy -->
konnectd & web & thumbnails & ocs & webdav & storage & accounts & store & settings
idp & web & thumbnails & ocs & webdav & storage & accounts & store & settings
konnectd --> glauth
idp --> glauth
storage --> REVA

3
docs/ocis/deployment/basic-remote-setup.md
View File

@@ -62,6 +62,9 @@ This snippet will start the oCIS server with auto generated self signed certific
PROXY_HTTP_ADDR=0.0.0.0:9200 \
OCIS_URL=https://your-server:9200 \
KONNECTD_TLS=0 \
PROXY_TRANSPORT_TLS_KEY=./certs/your-host.key \
PROXY_TRANSPORT_TLS_CERT=./certs/your-host.crt \
IDP_TLS=0 \
./bin/ocis server
```

26
docs/ocis/deployment/bridge.md
View File

@@ -101,7 +101,7 @@ Groups should work as well:
$ ldapsearch -x -H ldap://localhost:9125 -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -W '(objectclass=posixgroup)'
```
> Note: This is currently a readonly implementation and minimal to the usecase of authenticating users with konnectd.
> Note: This is currently a readonly implementation and minimal to the usecase of authenticating users with idp.
### Start ocis-web
@@ -124,21 +124,21 @@ $ bin/web server --web-config-server https://cloud.example.com --oidc-authority
`ocis-web` needs to know
- `--web-config-server https://cloud.example.com` is ownCloud url with webdav and ocs endpoints (oc10 or ocis)
- `--oidc-authority https://192.168.1.100:9130` the openid connect issuing authority, in our case `oidc-konnectd`, running on port 9130
- `--oidc-authority https://192.168.1.100:9130` the openid connect issuing authority, in our case `oidc-idp`, running on port 9130
- `--oidc-metadata-url https://192.168.1.100:9130/.well-known/openid-configuration` the openid connect configuration endpoint, typically the issuer host with `.well-known/openid-configuration`, but there are cases when another endpoint is used, eg. ping identity provides multiple endpoints to separate domains
- `--oidc-client-id ocis` the client id we will register later with `ocis-konnectd` in the `identifier-registration.yaml`
- `--oidc-client-id ocis` the client id we will register later with `ocis-idp` in the `identifier-registration.yaml`
### Start ocis-konnectd
### Start ocis-idp
#### Get it!
In an `ocis` folder
```
$ git clone git@github.com:owncloud/ocis-konnectd.git
$ cd ocis-konnectd
$ git clone git@github.com:owncloud/ocis-idp.git
$ cd ocis-idp
$ make
```
This should give you a `bin/ocis-konnectd` binary. Try listing the help with `bin/ocis-konnectd --help`.
This should give you a `bin/ocis-idp` binary. Try listing the help with `bin/ocis-idp --help`.
#### Set environment variables
@@ -183,12 +183,12 @@ Replace `localhost:9100` in the redirect URIs with your `ocis-web` host and port
#### Run it!
You can now bring up `ocis-konnectd` with:
You can now bring up `ocis-idp` with:
```console
$ bin/ocis-konnectd server --iss https://192.168.1.100:9130 --identifier-registration-conf assets/identifier-registration.yaml --signing-kid gen1-2020-02-27
$ bin/ocis-idp server --iss https://192.168.1.100:9130 --identifier-registration-conf assets/identifier-registration.yaml --signing-kid gen1-2020-02-27
```
`ocis-konnectd` needs to know
`ocis-idp` needs to know
- `--iss https://192.168.1.100:9130` the issuer, which must be a reachable https endpoint. For testing an ip works. HTTPS is NOT optional. This url is exposed in the `https://192.168.1.100:9130/.well-known/openid-configuration` endpoint and clients need to be able to connect to it
- `--identifier-registration-conf assets/identifier-registration.yaml` the identifier-registration.yaml you created
- `--signing-kid gen1-2020-02-27` a signature key id, otherwise the jwks key has no name, which might cause problems with clients. a random key is ok, but it should change when the actual signing key changes.
@@ -203,7 +203,7 @@ $ curl https://192.168.1.100:9130/.well-known/openid-configuration
2. Check if the login works at https://192.168.1.100:9130/signin/v1/identifier
> Note: If you later get a `Unable to find a key for (algorithm, kid):PS256, )` Error make sure you did set a `--signing-kid` when starting `ocis-konnectd` by checking it is present in https://192.168.1.100:9130/konnect/v1/jwks.json
> Note: If you later get a `Unable to find a key for (algorithm, kid):PS256, )` Error make sure you did set a `--signing-kid` when starting `ocis-idp` by checking it is present in https://192.168.1.100:9130/konnect/v1/jwks.json
### Patch owncloud
@@ -241,7 +241,7 @@ $CONFIG = [
```
In the above configuration replace
- `provider-url` with the URL to your `ocis-konnectd` issuer
- `provider-url` with the URL to your `ocis-idp` issuer
- `https://cloud.example.com` with the URL to your ownCloud 10 instance
- `http://localhost:9100` with the URL to your ownCloud Web instance
@@ -251,4 +251,4 @@ In the above configuration replace
Aside from the above todos these are the next steps
- tie it all together behind `ocis-proxy`
- create an `ocis bridge` command that runs all the ocis services in one step with a properly preconfigured `ocis-konnectd` `identifier-registration.yaml` file for `ownCloud Web` and the owncloud 10 `openidconnect` app, as well as a randomized `--signing-kid`.
- create an `ocis bridge` command that runs all the ocis services in one step with a properly preconfigured `ocis-idp` `identifier-registration.yaml` file for `ownCloud Web` and the owncloud 10 `openidconnect` app, as well as a randomized `--signing-kid`.

2
docs/ocis/deployment/ocis_keycloak.md
View File

@@ -19,7 +19,7 @@ geekdocFilePath: ocis_keycloak.md
The docker stack consists 4 containers. One of them is Traefik, a proxy which is terminating ssl and forwards the requests to oCIS in the internal docker network.
Keykloak add two containers: Keycloak itself and a PostgreSQL as database. Keycloak will be configured as oCIS' IDP instead of the internal IDP [Konnectd]({{< ref "../../extensions/konnectd/_index.md" >}})
Keykloak add two containers: Keycloak itself and a PostgreSQL as database. Keycloak will be configured as oCIS' IDP instead of the internal IDP [Konnectd]({{< ref "../../extensions/idp/_index.md" >}})
The other container is oCIS itself running all extensions in one container. In this example oCIS uses [oCIS storage driver]({{< ref "../../extensions/storage/storages.md#storage-drivers" >}})

2
docs/ocis/deployment/ocis_traefik.md
View File

@@ -18,7 +18,7 @@ geekdocFilePath: ocis_traefik.md
The docker stack consists of two containers. One of them is Traefik, a proxy which is terminating ssl and forwards the requests to oCIS in the internal docker network.
The other one is oCIS itself running all extensions in one container. In this example oCIS uses its internal IDP [Konnectd]({{< ref "../../extensions/konnectd/_index.md" >}}) and the [oCIS storage driver]({{< ref "../../extensions/storage/storages.md#storage-drivers" >}})
The other one is oCIS itself running all extensions in one container. In this example oCIS uses its internal IDP [Konnectd]({{< ref "../../extensions/idp/_index.md" >}}) and the [oCIS storage driver]({{< ref "../../extensions/storage/storages.md#storage-drivers" >}})
## Server Deployment

6
docs/ocis/development/debugging.md
View File

@@ -39,7 +39,7 @@ Run the debug binary with `OCIS_LOG_LEVEL=debug bin/ocis-debug server` and then
12920 pts/1 Sl 0:00 bin/ocis-debug reva-users
12929 pts/1 Sl 0:00 bin/ocis-debug glauth
12940 pts/1 Sl 0:00 bin/ocis-debug reva-storage-home-data
12948 pts/1 Sl 0:00 bin/ocis-debug konnectd
12948 pts/1 Sl 0:00 bin/ocis-debug idp
12952 pts/1 Sl 0:00 bin/ocis-debug proxy
12961 pts/1 Sl 0:00 bin/ocis-debug thumbnails
12971 pts/1 Sl 0:00 bin/ocis-debug reva-storage-oc
@@ -81,7 +81,7 @@ bin/ocis --log-level=$LOG_LEVEL glauth &
bin/ocis --log-level=$LOG_LEVEL graph-explorer &
bin/ocis --log-level=$LOG_LEVEL graph &
#bin/ocis --log-level=$LOG_LEVEL hello &
bin/ocis --log-level=$LOG_LEVEL konnectd &
bin/ocis --log-level=$LOG_LEVEL idp &
#bin/ocis --log-level=$LOG_LEVEL ocs &
bin/ocis --log-level=$LOG_LEVEL web &
bin/ocis --log-level=$LOG_LEVEL reva-auth-basic &
@@ -118,7 +118,7 @@ bin/ocis --log-level=$LOG_LEVEL proxy &
12920 pts/1 Sl 0:00 bin/ocis-debug reva-users
12929 pts/1 Sl 0:00 bin/ocis-debug glauth
12940 pts/1 Sl 0:00 bin/ocis-debug reva-storage-home-data
12948 pts/1 Sl 0:00 bin/ocis-debug konnectd
12948 pts/1 Sl 0:00 bin/ocis-debug idp
12952 pts/1 Sl 0:00 bin/ocis-debug proxy
12961 pts/1 Sl 0:00 bin/ocis-debug thumbnails
12971 pts/1 Sl 0:00 bin/ocis-debug reva-storage-oc

2
docs/ocis/flow-docs/login-flow.md
View File

@@ -44,7 +44,7 @@ sequenceDiagram
Note over client, idp: GET /authorize?<br>response_type=code<br>&scope=openid%20profile%20email<br>&client_id=s6BhdRkqt3<br>&state=af0ifjsldkj<br>&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1<br>Host: server.example.com
Note over user, idp: 3. Authorization Server Authenticates the End-User.
Note over idp,ldap: Either an IdP already exists or a new one is introduced. Since we are not yet using oidc discovery we can only use one IdP.
alt all users managed by konnectd/ocis
alt all users managed by idp/ocis
idp->>+glauth: LDAP query/bind
glauth->>+graph: GET user with Basic Auth<br>GraphAPI
graph->>+accounts: internal GRPC

2
docs/ocis/flow-docs/request-flow.md
View File

@@ -28,7 +28,7 @@ sequenceDiagram
Note over client,proxy: What is in a bearer token? <br> The spec recommends opaque tokens. <br> Treat it as random byte noise.
Note over client,proxy: the proxy MUST authenticate users <br> using ocis-accounts because it needs <br> to decide where to send the request
%% Mention introspection endpoint for opaque tokens
%% konnectd uses jwt, so we can save a request
%% idp uses jwt, so we can save a request
%% either way the token can be used to look up the sub and iss of the user
%% or is token check enough?