mastodon: oidc almost works

single-dockerfile
Trammell Hudson 3 years ago
parent 84db6d0741
commit 0ac5d3b1a2
  1. 5
      README.md
  2. 38
      mastodon/env.production
  3. 24
      mastodon/setup

@ -25,3 +25,8 @@ sudo docker-compose up -d
./setup ./setup
``` ```
```
cd ../mastodon
./setup
sudo docker-compose up
```

@ -68,3 +68,41 @@ SMTP_FROM_ADDRESS=notifications@example.com
#AWS_ACCESS_KEY_ID= #AWS_ACCESS_KEY_ID=
#AWS_SECRET_ACCESS_KEY= #AWS_SECRET_ACCESS_KEY=
#S3_ALIAS_HOST=files.example.com #S3_ALIAS_HOST=files.example.com
OMNIAUTH_ONLY=true
#SAML_ENABLED=true
#SAML_IDP_SSO_TARGET_URL=https://login.hackerspace.zone/realms/hackerspace/protocol/saml
#SAML_ACS_URL=https://social.hackerspace.zone/auth/auth/saml/callback
#SAML_ISSUER=mastodon
#SAML_IDP_CERT=MIICnzCCAYcCBgGAiY+tazANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhtYXN0b2RvbjAeFw0yMjA1MDMxMDUzNTZaFw0zMjA1MDMxMDU1MzZaMBMxETAPBgNVBAMMCG1hc3RvZG9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo+1QUockEX0Bx0EvkrHsX1cXjzNB3vOzpzHaIqSn2ztpQMxsCjWB8nHL4KDCdvXL4IrxRV4x1cT37r/oQsTbW8fplIfllMIQt5pnTSlacru3LX6smfS0xkhpolUp+JmHqnzJqw4/D+WI+dKQbMymWjZ32wI2SqoMI0t4j/c38S6dFgcaRrWcqR/B418F0Fsjs7FzyvjcOgUzPPmfdITmHvH4YDpdq1xsz/9FGwBLd4kgW2GEKWLFTDP9si275/kBuSPE1NGO32TWWSJX4YThkjJ5qDWv3WfxNhTrBpbmW8rUTpQhVFtE/L6dpxswNASNRx34JPwDRH1u971aQPfYaQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAP1+ssMQkSvPl4tctis5ccdD5KhtsbURppwCx96DjYGH9awI+XMhByV7fw/1Cm/KQteparldjzikflNxZySUmQ6IY67Vw6d+9T4FWuOPDy6jRdgU8nLBMeE/Xjb9Mn4ArXU29qXnCFaO9Nz0/yCOKTwv8VBY3XeixBzT/sIaSMEV8/KFY4707AZdr9SB9Rxtq88FC/BLETWY1dg9omx8kZqiM2aVhAW0jhej9urNBGab86o4Xv+v2Gvv8lsXVB0B7KfbFpV/fG/r2jBxXirVPcD0nzjbAzc3rSs+UgBqSNAO4Wb+IDlO0jYPqO4fw9hS22vZBsJ94GDXIH0t/PyQ5p
##SAML_IDP_CERT_FINGERPRINT=7B:53:95:6A:D6:FE:7E:E5:68:FE:9C:E1:68:51:BF:DD:F9:AF:63:F2
#SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
##SAML_CERT=
##SAML_PRIVATE_KEY=
#SAML_SECURITY_WANT_ASSERTION_SIGNED=true
##SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true
#SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
#SAML_ATTRIBUTES_STATEMENTS_UID=uid
#SAML_ATTRIBUTES_STATEMENTS_EMAIL=email
##SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241"
#SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME=first_name
#SAML_ATTRIBUTES_STATEMENTS_LAST_NAME=last_name
##SAML_UID_ATTRIBUTE=uid
##SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
##SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
#
# https://github.com/mastodon/mastodon/pull/16221
OIDC_ENABLED=true
OIDC_PROMPT=Keycloak
OIDC_DISPLAY_NAME=hackerspace.zone
OIDC_ISSUER=https://login.hackerspace.zone/realms/hackerspace
OIDC_REDIRECT_URI=https://social.hackerspace.zone/auth/auth/openid_connect/callback
OIDC_DISCOVERY=true
OIDC_SCOPE=openid,profile
OIDC_UID_FIELD=uid
OIDC_CLIENT_ID=mastodon
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
OIDC_CLIENT_SECRET=abcdef12345

@ -12,3 +12,27 @@ sudo docker-compose run web \
rails db:setup \ rails db:setup \
|| die "unable to login" || die "unable to login"
# create the keycloak side of the secret
cd ../keycloak
source env.production
sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create clients \
--server http://localhost:8080/ \
--user admin \
--password "$KEYCLOAK_ADMIN_PASSWORD" \
--realm master \
-r "$REALM" \
-f - <<EOF || die "unable to create client id"
{
"clientId": "mastodon",
"rootUrl": "https://$MASTODON_HOSTNAME/",
"adminUrl": "https://$MASTODON_HOSTNAME/",
"redirectUris": [ "https://$MASTODON_HOSTNAME/*" ],
"webOrigins": [ "https://$MASTODON_HOSTNAME" ],
"clientAuthenticatorType": "client-secret",
"secret": "$OIDC_CLIENT_SECRET"
}
EOF

Loading…
Cancel
Save