diff --git a/.env.example b/.env.example index d63e019..bc0ef7a 100644 --- a/.env.example +++ b/.env.example @@ -24,7 +24,7 @@ ASSOCIATION_NAME="Sportsclub XYZ" # OIDC_CLIENT_ID=mv # OIDC_BASE_URL=http://localhost:8080/auth/v1 # OIDC_REDIRECT_URI=http://localhost:4001/auth/user/oidc/callback -# OIDC_CLIENT_SECRET=your-oidc-client-secret +# OIDC_CLIENT_SECRET=mv-dev-shared-secret-not-for-production-do-not-use-anywhere-else # Optional: OIDC group → Admin role sync (e.g. Authentik groups from profile scope) # If OIDC_ADMIN_GROUP_NAME is set, users in that group get Admin role on registration/sign-in. diff --git a/README.md b/README.md index 9fc2f83..8b26327 100644 --- a/README.md +++ b/README.md @@ -124,8 +124,8 @@ mix archive.install hex phx_new 1. Copy env file: ```bash cp .env.example .env - # Set OIDC_CLIENT_SECRET inside .env ``` + The dev `OIDC_CLIENT_SECRET` is already preset — no manual GUI step needed. 2. Start everything (database, Mailcrab, Rauthy, app): ```bash @@ -139,21 +139,9 @@ mix archive.install hex phx_new ## 🔐 Testing SSO locally -Mila uses OIDC for Single Sign-On. In development, a local **Rauthy** instance is provided. +A local **Rauthy** instance is provided in dev. The `mv` client is auto-seeded from `rauthy-bootstrap/clients.json` on first start (and after `docker compose down -v`), so the secret in `.env.example` always matches. -1. `just run` -2. go to [localhost:8080](http://localhost:8080), go to the Admin area -3. Login with "admin@localhost" and password from `BOOTSTRAP_ADMIN_PASSWORD_PLAIN` in docker-compose.yml -4. add client from the admin panel - - Client ID: mv - - redirect uris: http://localhost:4000/auth/user/oidc/callback - - Authorization Flows: authorization_code - - allowed origins: http://localhost:4000 - - access/id token algortihm: RS256 (EDDSA did not work for me, found just few infos in the ashauthentication docs) -5. copy client secret to `.env` file -6. abort and run `just run` again - -Now you can log in to Mila via OIDC! +Rauthy admin UI: — login `admin@localhost`, password from `BOOTSTRAP_ADMIN_PASSWORD_PLAIN` in `docker-compose.yml`. ### OIDC with other providers (Authentik, Keycloak, etc.) diff --git a/docker-compose.yml b/docker-compose.yml index 512626b..01a0bd2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -36,6 +36,9 @@ services: - BOOTSTRAP_ADMIN_PASSWORD_PLAIN=RauthyTest12345 # Disable strict IP validation to allow access from multiple Docker networks - SESSION_VALIDATE_IP=false + # Auto-seed the `mv` OIDC client (id + plain secret) on first DB init. + # Re-runs after `docker compose down -v` because the DB is empty again. + - BOOTSTRAP_DIR=/app/bootstrap ports: - "8080:8080" depends_on: @@ -46,6 +49,7 @@ services: - local volumes: - rauthy-data:/app/data + - ./rauthy-bootstrap:/app/bootstrap:ro volumes: postgres-data: diff --git a/rauthy-bootstrap/clients.json b/rauthy-bootstrap/clients.json new file mode 100644 index 0000000..e0f608a --- /dev/null +++ b/rauthy-bootstrap/clients.json @@ -0,0 +1,20 @@ +[ + { + "id": "mv", + "name": "Mila dev", + "secret": { "Plain": "mv-dev-shared-secret-not-for-production-do-not-use-anywhere-else" }, + "redirect_uris": ["http://localhost:4000/auth/user/oidc/callback"], + "post_logout_redirect_uris": ["http://localhost:4000/"], + "allowed_origins": ["http://localhost:4000"], + "enabled": true, + "flows_enabled": ["authorization_code", "refresh_token"], + "access_token_alg": "RS256", + "id_token_alg": "RS256", + "auth_code_lifetime": 60, + "access_token_lifetime": 1800, + "scopes": ["openid", "profile", "email", "groups"], + "default_scopes": ["openid", "profile", "email", "groups"], + "challenges": ["S256"], + "force_mfa": false + } +]