distrust

command module

v0.1.0 Latest Latest Go to latest Published: Feb 20, 2023 License: BSD-3-Clause Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/parkour-vienna/distrust

Links

Open Source Insights

README ¶

distrust

Use discourse as an OIDC (OAuth 2.0) provider.

Installation

To run distrust, copy the distrust.example.yml file to distrust.yml and customize it to your liking. Afterwards, run the binary or container image.

./distrust

You can also use a container engine like podman or docker to run distrust

podman run -d \
  --name distrust \
  -v $PWD/distrust.yml:/distrust.yml:Z \
  -p 3000:3000 \
  ghcr.io/parkour-vienna/distrust:$VERSION

Configuration

Configuring Discourse

To start using discourse as an OIDC provider, you need to configure your discourse instance. The following site settings need to be set:

enable discourse connect provider
discourse connect provider secrets - Here you need to add the domain of the distrust server and choose a secure secret

This configuration must then be entered in the distrust.yml file

discourse:
  server: https://your-discourse-installation.org
  secret: <your-chosen-secret>

Configuring the OIDC provider

The OIDC provider is based on ory/fosite and needs two configuration values to work. The first one is a 32-byte secret. It must be exactly 32 bytes long. The other parameter is the private key used for signing the tokens.

If you need a fresh RSA private key, you can run distrust genkey to generate one.

Both values can be left empty, however this will invalidate all tokens on a server restart

oidc:
  secret: 'some-exactly-32-byte-long-secret'
  privateKey: |
    -----BEGIN RSA PRIVATE KEY-----
    ....
    -----END RSA PRIVATE KEY-----

Configuring Clients

The last step is the configuration of clients. Here you need to specify a name, a client secret as well as the allowed redirect URIs.

As of this point, the redirect URIs do not support wildcards

The following example configures a client called test with the secret foobar which is authorized to redirect to the OpenID Connect test page

clients:
  test:
    secret: foobar
    redirectURIs:
      - 'https://openidconnect.net/callback'

If you do not want to provide a plaintext secret, you can also provide the secret as an already hashed bcrypt2 value

Group ACLs

In case you want your client to be only available for members of a certain group, you can populate the allowGroups or denyGroups fields in the client config. This will either allow or deny access on a client basis.

Usage by Clients

Distrust is based on ory/fosite, so you can refer to that project's documentation for how to interact with the OpenID Connect provider.

The two endpoints the client will interact with are:

The authorization endpoint
- https://example.com/oauth2/auth
The token endpoint
- https://example.com/oauth2/token

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
auth
cryptutils
discourse
requestlog

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL