Draft: SSO login (OAuth 2.0 + OpenID Connect) #1012
4 changed files with 45 additions and 17 deletions
|
@ -121,6 +121,7 @@ lazy_static = "1.4.0"
|
|||
async-trait = "0.1.68"
|
||||
|
||||
sd-notify = { version = "0.4.1", optional = true }
|
||||
url = { version = "2.5.0", features = ["serde"] }
|
||||
|
||||
[target.'cfg(unix)'.dependencies]
|
||||
nix = { version = "0.26.2", features = ["resource"] }
|
||||
|
|
|
@ -56,9 +56,13 @@ trusted_servers = ["matrix.org"]
|
|||
address = "127.0.0.1" # This makes sure Conduit can only be reached using the reverse proxy
|
||||
#address = "0.0.0.0" # If Conduit is running in a container, make sure the reverse proxy (ie. Traefik) can reach it.
|
||||
|
||||
[default.openid]
|
||||
client_id = "conduit"
|
||||
secret = "00000000-0000-0000-0000-000000000000"
|
||||
discover_url = "https://keycloak.domain.com/auth/realms/Realm_name"
|
||||
macaroon_key = "this is the key"
|
||||
redirect_url = "http://localhost:8081/sso_return"
|
||||
|
||||
[[oidc_provider]]
|
||||
id = "keycloak"
|
||||
name = "keycloak"
|
||||
client.id = "conduit"
|
||||
client.secret = "00000000-0000-0000-0000-000000000000"
|
||||
discover_url = "https://keycloak.domain.com/auth/realms/example"
|
||||
scopes = ["openid", "read_user"]
|
||||
backchannel_logout = true
|
||||
|
|
|
@ -4,14 +4,14 @@ use std::{
|
|||
net::{IpAddr, Ipv4Addr},
|
||||
};
|
||||
|
||||
use reqwest::Url;
|
||||
use ruma::{OwnedServerName, RoomVersionId};
|
||||
use serde::{de::IgnoredAny, Deserialize};
|
||||
use tracing::warn;
|
||||
|
||||
mod proxy;
|
||||
mod oidc;
|
||||
|
||||
use self::proxy::ProxyConfig;
|
||||
use self::{oidc::ProviderConfig, proxy::ProxyConfig};
|
||||
|
||||
#[derive(Clone, Debug, Deserialize)]
|
||||
pub struct Config {
|
||||
|
@ -80,7 +80,10 @@ pub struct Config {
|
|||
pub turn_secret: String,
|
||||
#[serde(default = "default_turn_ttl")]
|
||||
pub turn_ttl: u64,
|
||||
pub openid: Option<OpenIdConfig>,
|
||||
#[serde(default)]
|
||||
pub macaroon_key: Option<String>,
|
||||
#[serde(default)]
|
||||
pub oidc_provider: Option<Vec<ProviderConfig>>,
|
||||
|
||||
pub emergency_password: Option<String>,
|
||||
|
||||
|
@ -94,15 +97,6 @@ pub struct TlsConfig {
|
|||
pub key: String,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Deserialize)]
|
||||
pub struct OpenIdConfig {
|
||||
pub client_id: String,
|
||||
pub secret: String,
|
||||
pub discover_url: Url,
|
||||
pub macaroon_key: String,
|
||||
pub redirect_url: String,
|
||||
}
|
||||
|
||||
const DEPRECATED_KEYS: &[&str] = &["cache_capacity"];
|
||||
|
||||
impl Config {
|
||||
|
|
29
src/config/oidc.rs
Normal file
29
src/config/oidc.rs
Normal file
|
@ -0,0 +1,29 @@
|
|||
use serde::Deserialize;
|
||||
|
||||
#[derive(Clone, Debug, Deserialize)]
|
||||
pub struct ProviderConfig {
|
||||
id: String,
|
||||
name: String,
|
||||
icon: Option<String>,
|
||||
|
||||
client: ClientConfig,
|
||||
scopes: Vec<String>,
|
||||
|
||||
endpoint: EndpointConfig,
|
||||
|
||||
discover_url: Option<url::Url>,
|
||||
backchannel_logout: bool,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Deserialize)]
|
||||
pub struct ClientConfig {
|
||||
id: String,
|
||||
secret: String,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Default, Deserialize)]
|
||||
pub struct EndpointConfig {
|
||||
authorization: Option<url::Url>,
|
||||
token: Option<url::Url>,
|
||||
userinfo: Option<url::Url>,
|
||||
}
|
Loading…
Reference in a new issue