auth: Implement OpenID Connect login flow
This commit adds two path operations, *GET /login* and *GET /oidc-callback*, which initiate and complete the OpenID connect login flow, respectively. Only the *Authorization Code* flow is supported, since this is the only flow implemented by Authelia. There is quite a bit of boilerplate required to fully implement an OIDC relying party, especially in Rust. The documentation for `openidconnect` is decent, but it still took quite a bit of trial and error to get everything working. After successfully finishing the OIDC login, the client will receive a cookie containing a JWT that can be used for further communication with the server. We're not using the OIDC tokens themselves for authorization. For development and testing, Dex is a simple and convenient OIDC IdP. The only caveat is its configuration file must contain list the TCP port clients will use to connect to it, meaning we cannot use Podman dynamic port allocation like we do for Meilisearch. Ultimately, this just means the integration tests will fail if there is another process already listening on 5556.
This commit is contained in:
27
run-tests.sh
27
run-tests.sh
@@ -11,6 +11,11 @@ cleanup() {
|
||||
rm "${meilisearch_key}"
|
||||
fi
|
||||
unset meilisearch_key
|
||||
if [ -n "${dex_cid}" ]; then
|
||||
echo 'Stopping Dex ...' >&2
|
||||
podman stop "${dex_cid}" >/dev/null
|
||||
fi
|
||||
unset cid
|
||||
if [ -f "${jwt_key}" ]; then
|
||||
rm "${jwt_key}"
|
||||
fi
|
||||
@@ -48,6 +53,22 @@ curl -s 127.0.0.1:${port}/keys -H "Authorization: Bearer ${MEILI_MASTER_KEY}" \
|
||||
| jq -r '.results[] | select(.name == "Default Admin API Key") | .key' \
|
||||
> "${meilisearch_key}"
|
||||
|
||||
echo 'Starting Dex ...'
|
||||
dex_cid=$(
|
||||
podman run --rm -d \
|
||||
-p 5556:5556 \
|
||||
-v ./dex.yaml:/etc/dex/config.yaml:ro,z \
|
||||
ghcr.io/dexidp/dex \
|
||||
dex serve /etc/dex/config.yaml
|
||||
) || exit
|
||||
dex_port=5556
|
||||
printf 'Waiting for Dex on port %d ...' "${dex_port}" >&2
|
||||
until curl -fs -o /dev/null 127.0.0.1:${dex_port}/dex/healthz; do
|
||||
printf '.'
|
||||
sleep 0.25
|
||||
done
|
||||
echo ' ready' >&2
|
||||
|
||||
echo 'Generating JWT secret key ...' >&2
|
||||
jwt_key=$(mktemp jwt.secret.XXXXXX)
|
||||
tr -cd 0-9A-Za-z_- < /dev/urandom | head -c 32 > "${jwt_key}"
|
||||
@@ -60,6 +81,12 @@ token = "${meilisearch_key}"
|
||||
|
||||
[test.auth]
|
||||
jwt_secret = "${jwt_key}"
|
||||
|
||||
[test.oidc]
|
||||
discovery_url = "http://127.0.0.1:${dex_port}/dex"
|
||||
client_id = "example-app"
|
||||
client_secret = "example-app-secret"
|
||||
callback_url = "http://localhost:8000/oidc-callback"
|
||||
EOF
|
||||
export ROCKET_PROFILE=test
|
||||
export ROCKET_CONFIG
|
||||
|
||||
Reference in New Issue
Block a user