From 0ac5d3b1a2703a1d5bad413110b2c4ca97b48df2 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 3 May 2022 12:04:50 +0000 Subject: [PATCH] mastodon: oidc almost works --- README.md | 5 +++++ mastodon/env.production | 38 ++++++++++++++++++++++++++++++++++++++ mastodon/setup | 24 ++++++++++++++++++++++++ 3 files changed, 67 insertions(+) diff --git a/README.md b/README.md index b08291d..9841a81 100644 --- a/README.md +++ b/README.md @@ -25,3 +25,8 @@ sudo docker-compose up -d ./setup ``` +``` +cd ../mastodon +./setup +sudo docker-compose up +``` diff --git a/mastodon/env.production b/mastodon/env.production index d869a3d..2938c18 100644 --- a/mastodon/env.production +++ b/mastodon/env.production @@ -68,3 +68,41 @@ SMTP_FROM_ADDRESS=notifications@example.com #AWS_ACCESS_KEY_ID= #AWS_SECRET_ACCESS_KEY= #S3_ALIAS_HOST=files.example.com + + +OMNIAUTH_ONLY=true +#SAML_ENABLED=true +#SAML_IDP_SSO_TARGET_URL=https://login.hackerspace.zone/realms/hackerspace/protocol/saml +#SAML_ACS_URL=https://social.hackerspace.zone/auth/auth/saml/callback +#SAML_ISSUER=mastodon +#SAML_IDP_CERT=MIICnzCCAYcCBgGAiY+tazANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhtYXN0b2RvbjAeFw0yMjA1MDMxMDUzNTZaFw0zMjA1MDMxMDU1MzZaMBMxETAPBgNVBAMMCG1hc3RvZG9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo+1QUockEX0Bx0EvkrHsX1cXjzNB3vOzpzHaIqSn2ztpQMxsCjWB8nHL4KDCdvXL4IrxRV4x1cT37r/oQsTbW8fplIfllMIQt5pnTSlacru3LX6smfS0xkhpolUp+JmHqnzJqw4/D+WI+dKQbMymWjZ32wI2SqoMI0t4j/c38S6dFgcaRrWcqR/B418F0Fsjs7FzyvjcOgUzPPmfdITmHvH4YDpdq1xsz/9FGwBLd4kgW2GEKWLFTDP9si275/kBuSPE1NGO32TWWSJX4YThkjJ5qDWv3WfxNhTrBpbmW8rUTpQhVFtE/L6dpxswNASNRx34JPwDRH1u971aQPfYaQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAP1+ssMQkSvPl4tctis5ccdD5KhtsbURppwCx96DjYGH9awI+XMhByV7fw/1Cm/KQteparldjzikflNxZySUmQ6IY67Vw6d+9T4FWuOPDy6jRdgU8nLBMeE/Xjb9Mn4ArXU29qXnCFaO9Nz0/yCOKTwv8VBY3XeixBzT/sIaSMEV8/KFY4707AZdr9SB9Rxtq88FC/BLETWY1dg9omx8kZqiM2aVhAW0jhej9urNBGab86o4Xv+v2Gvv8lsXVB0B7KfbFpV/fG/r2jBxXirVPcD0nzjbAzc3rSs+UgBqSNAO4Wb+IDlO0jYPqO4fw9hS22vZBsJ94GDXIH0t/PyQ5p +##SAML_IDP_CERT_FINGERPRINT=7B:53:95:6A:D6:FE:7E:E5:68:FE:9C:E1:68:51:BF:DD:F9:AF:63:F2 +#SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified +##SAML_CERT= +##SAML_PRIVATE_KEY= +#SAML_SECURITY_WANT_ASSERTION_SIGNED=true +##SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true +#SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true +#SAML_ATTRIBUTES_STATEMENTS_UID=uid +#SAML_ATTRIBUTES_STATEMENTS_EMAIL=email +##SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241" +#SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME=first_name +#SAML_ATTRIBUTES_STATEMENTS_LAST_NAME=last_name +##SAML_UID_ATTRIBUTE=uid +##SAML_ATTRIBUTES_STATEMENTS_VERIFIED= +##SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL= +# + +# https://github.com/mastodon/mastodon/pull/16221 +OIDC_ENABLED=true +OIDC_PROMPT=Keycloak +OIDC_DISPLAY_NAME=hackerspace.zone +OIDC_ISSUER=https://login.hackerspace.zone/realms/hackerspace +OIDC_REDIRECT_URI=https://social.hackerspace.zone/auth/auth/openid_connect/callback +OIDC_DISCOVERY=true +OIDC_SCOPE=openid,profile +OIDC_UID_FIELD=uid +OIDC_CLIENT_ID=mastodon +OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true +OIDC_CLIENT_SECRET=abcdef12345 + diff --git a/mastodon/setup b/mastodon/setup index 54ad80a..aeced1b 100755 --- a/mastodon/setup +++ b/mastodon/setup @@ -12,3 +12,27 @@ sudo docker-compose run web \ rails db:setup \ || die "unable to login" + +# create the keycloak side of the secret +cd ../keycloak +source env.production + +sudo docker-compose exec -T keycloak \ + /opt/keycloak/bin/kcadm.sh \ + create clients \ + --server http://localhost:8080/ \ + --user admin \ + --password "$KEYCLOAK_ADMIN_PASSWORD" \ + --realm master \ + -r "$REALM" \ + -f - <