From 2ea2bbc97bba4cfb898b9ee64ebb8d644117229f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Fri, 28 Feb 2020 15:31:53 +0100 Subject: [PATCH] Add how to run and configure phoenix in the bridge setup This documents how to run and configure phoenix in a bridge deployment --- docs/bridge.md | 84 ++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 64 insertions(+), 20 deletions(-) diff --git a/docs/bridge.md b/docs/bridge.md index d928c2e9b..168490d55 100644 --- a/docs/bridge.md +++ b/docs/bridge.md @@ -29,7 +29,7 @@ $ composer install No configuration necessary. You can test with `curl`: ```console $ curl https://cloud.example.com/index.php/apps/graphapi/v1.0/users -u admin | jq -Enter host password for user 'jfd': +Enter host password for user 'admin': % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 694 100 694 0 0 4283 0 --:--:-- --:--:-- --:--:-- 4283 @@ -56,7 +56,9 @@ Enter host password for user 'jfd': ### Start ocis-glauth -We are going to use the above ownCloud 10 and graphapi app to turn it into the datastore for an LDAP proxy. Grab it while it is hot: +We are going to use the above ownCloud 10 and graphapi app to turn it into the datastore for an LDAP proxy. + +#### Grab it! In an `ocis` folder ``` @@ -65,9 +67,12 @@ $ cd ocis-glauth $ git checkout start-glauth $ make ``` +This should give you a `bin/ocis-glauth` binary. Try listing the help with `bin/ocis-glauth --help`. TODO merge glauth PR https://github.com/owncloud/ocis-glauth/pull/1 +#### Run it! + You need to point `ocis-glauth` to your owncloud domain: ```console $ bin/ocis-glauth --log-level debug server --backend-server https://cloud.example.com --backend-basedn dc=example,dc=com @@ -77,6 +82,8 @@ $ bin/ocis-glauth --log-level debug server --backend-server https://cloud.exampl `--backend-server https://cloud.example.com` is the url to an ownCloud instance with an enabled graphapi app `--backend-basedn dc=example,dc=com` is used to construct the LDAP dn. The user `admin` will become `cn=admin,dc=example,dc=com`. +#### Check it is up and running + You should now be able to list accounts from your ownCloud 10 oc_accounts table using: ```console $ ldapsearch -x -H ldap://localhost:9125 -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -W '(objectclass=posixaccount)' @@ -89,9 +96,34 @@ $ ldapsearch -x -H ldap://localhost:9125 -b dc=example,dc=com -D "cn=admin,dc=ex > Note: This is currently a readonly implementation and minimal to the usecase of authenticating users with konnectd. +### Start ocis-phoenix + +#### Get it! + +In an `ocis` folder +``` +$ git clone git@github.com:owncloud/ocis-phoenix.git +$ cd ocis-phoenix +$ make +``` +This should give you a `bin/ocis-phoenix` binary. Try listing the help with `bin/ocis-phoenix --help`. + +#### Run it! + +Point `ocis-phoenix` to your owncloud domain and tell it where to find the openid connect issuing authority: +```console +$ bin/ocis-phoenix server --web-config-server https://cloud.example.com --oidc-authority https://192.168.1.100:9130 --oidc-metadata-url https://192.168.1.100:9130/.well-known/openid-configuration --oidc-client-id ocis +``` + +`ocis-phoenix` needs to know +- `--web-config-server https://cloud.example.com` is ownCloud url with webdav and ocs endpoints (oc10 or ocis) +- `--oidc-authority https://192.168.1.100:9130` the openid connect issuing authority, in our case `oidc-konnectd`, running on port 9130 +- `--oidc-metadata-url https://192.168.1.100:9130/.well-known/openid-configuration` the openid connect configuration endpoint, typically the issuer host with `.well-known/openid-configuration`, but there are cases when another endpoint is used, eg. ping identity provides multiple endpoints to separate domains +- `--oidc-client-id ocis` the client id we will register later with `ocis-konnectd` in the `identifier-registration.yaml` + ### Start ocis-konnectd -#### Get it +#### Get it! In an `ocis` folder ``` @@ -99,12 +131,13 @@ $ git clone git@github.com:owncloud/ocis-konnectd.git $ cd ocis-konnectd $ make ``` +This should give you a `bin/ocis-konnectd` binary. Try listing the help with `bin/ocis-konnectd --help`. -#### Environment variables +#### Set environment variables Konnectd needs environment variables to configure the LDAP server: ```console -export LDAP_URI=ldap://192.168.1.173:9125 +export LDAP_URI=ldap://192.168.1.100:9125 export LDAP_BINDDN="cn=admin,dc=example,dc=com" export LDAP_BINDPW="its-a-secret" export LDAP_BASEDN="dc=example,dc=com" @@ -126,29 +159,34 @@ Now we need to configure a client we can later use to configure the ownCloud 10 # OpenID Connect client registry. clients: - - id: oc10-openidconnect-app - name: openidconnect ownCloud app + - id: ocis + name: ownCloud Infinite Scale insecure: yes application_type: web redirect_uris: - https://cloud.example.com/apps/openidconnect/redirect + - http://localhost:9100/oidc-callback.html + - http://localhost:9100 + - http://localhost:9100/ ``` You will need the `insecure: yes` if you are using self signed certificates. -Replace the host in the redirect URI with your ownCloud 10 host and port. +Replace `cloud.example.com` in the redirect URI with your ownCloud 10 host and port. +Replace `localhost:9100` in the redirect URIs with your the `ocis-phoenix` host and port. #### Run it! -`ocis-konnectd` needs to know -- the issuer, which must be a reachable https endpoint. For testing an ip works. HTTPS is NOT optional. -- the identifier-registration.yaml you created -- a signature key id, otherwise the jwks key has no name, which might cause problems with clients. a random key is ok, but it should change when the actual signing key changes. - -On the cli it looks like this +You can now bring up `ocis-connectd` with: ```console -$ bin/ocis-konnectd server -iss https://192.168.1.100:9130 --identifier-registration-conf assets/identifier-registration.yaml --signing-kid gen1-2020-02-27 +$ bin/ocis-konnectd server --iss https://192.168.1.100:9130 --identifier-registration-conf assets/identifier-registration.yaml --signing-kid gen1-2020-02-27 ``` +`ocis-konnectd` needs to know +- `--iss https://192.168.1.100:9130` the issuer, which must be a reachable https endpoint. For testing an ip works. HTTPS is NOT optional. This url is exposed in the `https://192.168.1.100:9130/.well-known/openid-configuration` endpoint and clients need to be able to connect to it +- `--identifier-registration-conf assets/identifier-registration.yaml` the identifier-registration.yaml you created +- `--signing-kid gen1-2020-02-27` a signature key id, otherwise the jwks key has no name, which might cause problems with clients. a random key is ok, but it should change when the actual signing key changes. + + #### Check it is up and running 1. Try getting the configuration: @@ -183,21 +221,27 @@ After enabling the app configure it in `config/oidc.config.php` $CONFIG = [ 'openid-connect' => [ 'provider-url' => 'https://192.168.1.100:9130', - 'client-id' => 'oc10-openidconnect-app', + 'client-id' => 'ocis', 'loginButtonName' => 'OpenId Connect @ Konnectd', ], - 'debug' => true // if using self signed certificates + 'debug' => true, // if using self signed certificates + // allow the different domains access to the ocs and wabdav endpoints: + 'cors.allowed-domains' => [ + 'https://cloud.example.com', + 'http://localhost:9100', + ], ]; ``` In the above configuration replace -- `provider-url` with the url to your `ocis-konnectd` issuer +- `provider-url` with the URL to your `ocis-konnectd` issuer +- `https://cloud.example.com` with the URL to your ownCloud 10 instance +- `http://localhost:9100` with the URL to your phoenix instance > Note: By default the openidconnect app will use the email of the user to match the user from the oidc userinfo endpoint with the ownCloud account. So make sure your users have a unique primary email. ## Next steps Aside from the above todos these are the next stepo -- get `ocis-phoenix` configured to authenticate against `ocis-konnectd` and use the webdav endpoint from owncloud 10. - tie it all together behind `ocis-proxy` -- create an `ocis bridge` command that runs all the ocis services in one step with a properly preconfigured `ocis-konnectd` `identifier-registration.yaml` file for `phoenix` and the owncloud 10 `openidconnect` app, as well as a randomized `--signing-kid`. \ No newline at end of file +- create an `ocis bridge` command that runs all the ocis services in one step with a properly preconfigured `ocis-konnectd` `identifier-registration.yaml` file for `phoenix` and the owncloud 10 `openidconnect` app, as well as a randomized `--signing-kid`.