From 30eec2ad674493e81f8bd63360d17f5ae6ae990b Mon Sep 17 00:00:00 2001
From: Maximilian Moser <maximilian.moser@tuwien.ac.at>
Date: Fri, 6 Oct 2023 22:26:06 +0200
Subject: [PATCH] Update the container definition
* mount most configuration into the container rather than baking it into
the image
* use a configuration file for registered clients and disable dynamic
registration of clients during runtime
---
.gitignore | 3 +++
Dockerfile | 7 -------
README.md | 7 +++++++
config/oidc-frontend.yaml | 4 ++--
docker-compose.yml | 5 +++++
oidc-clients.json.example | 10 ++++++++++
run.sh | 5 +++++
7 files changed, 32 insertions(+), 9 deletions(-)
create mode 100644 oidc-clients.json.example
diff --git a/.gitignore b/.gitignore
index aeb333e..ec1f302 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,6 @@ satosa-*.log
# exported metadata
frontend.xml
backend.xml
+
+# client database
+oidc-clients.json
diff --git a/Dockerfile b/Dockerfile
index d5148a7..68bebe1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,4 @@
# https://hub.docker.com/_/satosa
FROM satosa:8
-
-# put config into `/etc/satosa`
-COPY proxy_conf.yaml /etc/satosa
-COPY blacklist.json /etc/satosa
-COPY config /etc/satosa/config
COPY run.sh /usr/local/bin
-
-# execute our custom script as command
CMD ["/usr/local/bin/run.sh"]
diff --git a/README.md b/README.md
index d982bcb..ebc0c60 100644
--- a/README.md
+++ b/README.md
@@ -63,6 +63,13 @@ Further, the following configuration is required:
* Scopes: `openid profile email`
+## Configuring OIDC clients
+
+Dynamic registration of OIDC clients is disabled per configuration.
+Instead, clients for the OIDC frontend should be configured via `oidc-clients.json`.
+An example configuration can be found in the file `oidc-clients.json.example`.
+
+
## SSL/TLS keys
Our Satosa setup needs three sets of key files for its operation:
diff --git a/config/oidc-frontend.yaml b/config/oidc-frontend.yaml
index 0f81ba6..68ac190 100644
--- a/config/oidc-frontend.yaml
+++ b/config/oidc-frontend.yaml
@@ -31,14 +31,14 @@ config:
# Otherwise, if client_db_path is set, the JSON file is used.
# By default, an in-memory dictionary is used.
#client_db_uri: mongodb://db.example.com
- #client_db_path: /path/to/your/cdb.json
+ client_db_path: oidc-clients.json
# if not specified, it is randomly generated on every startup
sub_hash_salt: !ENV SATOSA_OIDC_HASH_SALT
sub_mirror_public: yes
provider:
- client_registration_supported: yes
+ client_registration_supported: no
response_types_supported: ["code"]
subject_types_supported: ["pairwise"]
scopes_supported: ["openid", "email", "profile", "extras"]
diff --git a/docker-compose.yml b/docker-compose.yml
index fceee23..320349f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,7 +20,12 @@ services:
ports:
- ${SATOSA_DEPLOYMENT_PORT:-443}:${SATOSA_PORT:-8443}
volumes:
+ - ./config:/etc/satosa/config
+ - ./proxy_conf.yaml:/etc/satosa/proxy_conf.yaml
+ - ./oidc-clients.json:/etc/satosa/oidc-clients.json
+ - ./blacklist.json:/etc/satosa/blacklist.json
- ./ssl:/etc/satosa/ssl:ro
+ stop_grace_period: "2.5s"
networks:
default:
diff --git a/oidc-clients.json.example b/oidc-clients.json.example
new file mode 100644
index 0000000..a9d13c5
--- /dev/null
+++ b/oidc-clients.json.example
@@ -0,0 +1,10 @@
+{
+ "keycloak": {
+ "response_types": ["code"],
+ "client_id": "keycloak",
+ "client_secret": "secret",
+ "redirect_uris": [
+ "https://auth.researchdata.tuwien.ac.at/auth/realms/test/broker/satosa/endpoint"
+ ]
+ }
+}
diff --git a/run.sh b/run.sh
index 2e0d84f..d1b91fb 100755
--- a/run.sh
+++ b/run.sh
@@ -20,6 +20,11 @@ if [[ ! -f "${SATOSA_GUNICORN_CERT}" ]]; then
SATOSA_GUNICORN_CERT="ssl/test.crt"
fi
+if [[ ! -f "oidc-clients.json" ]]; then
+ echo >&2 "ERROR: could not find the file 'oidc-clients.json'!"
+ exit 1
+fi
+
# either use gunicorn directly, or run it through pipenv
if [[ "${SATOSA_USE_PIPENV}" -ne "1" ]]; then
gunicorn -b "0.0.0.0:${SATOSA_PORT}" satosa.wsgi:app --keyfile="${SATOSA_GUNICORN_KEY}" --certfile="${SATOSA_GUNICORN_CERT}"
--
GitLab