feat: added OIDC context with keycloak as IdP

README.md

@@ -23,6 +23,12 @@ Choose a cozy subdomain for you instance like `cozy.mydomain.tld`. Declare on yo
 The deployed cozy installation is not ready for web yet, it need to be exposed to the web through a reverse proxy. As cozy generates sub-domains for every applications, Let's Encrypt certificates must be generated dynamically.
 [Webfront+](https://github.com/nicolaspernoud/webfront) can be easily used to do so.  Traefik can also be used, but if you want to do so, consider using the upfront vsellier's [easy-cozy](https://github.com/vsellier/easy-cozy).
 
+## OIDC
+
+This installation creates an normal account named "demo", and an Open Id Connect (OIDC) authenticated account named "demooidc".
+The docker-compose starts a keycloak instance that must be accessible under the url defined in OIDC_IDP environment variable (use webfront+ to reverse proxy it) as well.
+If you do not want to use OICD, you can remove keycloak from the docker compose and delete the demooidc instance.
+
 ## Cozy installation and configuration
 
 - Clone the [easy-cozy](https://forge.grandlyon.com/pocs/cozy/easy-cozy) project

cozystack/Dockerfile

@@ -22,7 +22,7 @@ RUN groupadd --gid 1000 cozy && useradd --gid 1000 --uid 1000 -m -d /usr/local/c
 COPY --chown=cozy:cozy --from=installer /tmp/cozy /usr/local/cozy-stack/cozy
 COPY --chown=cozy:cozy --from=installer /tmp/node /usr/local/node
 COPY --chown=cozy:cozy entrypoint.sh /entrypoint.sh
-COPY --chown=cozy:cozy cozy.yaml /etc/cozy/cozy.yaml
+COPY --chown=cozy:cozy cozy.yaml.template /etc/cozy/cozy.yaml
 ADD --chown=cozy:cozy https://raw.githubusercontent.com/cozy/cozy-stack/master/scripts/konnector-node-run.sh /usr/local/cozy-stack/scripts/
 
 RUN chmod u+x /entrypoint.sh /usr/local/cozy-stack/scripts/konnector-node-run.sh

cozystack/cozy.yaml → cozystack/cozy.yaml.template

@@ -308,3 +308,19 @@ contexts:
     # Use a different noreply mail for this context
     noreply_address: noreply@cozy.beta
     noreply_name: My Cozy Beta
+
+authentication:
+  open-id-connect:
+    disable_password_authentication: true
+    oidc:
+      client_id: cozy
+      client_secret: 75209b5d-302a-40c5-9a4e-823d792fa2fe
+      scope: openid profile
+      redirect_uri: https://COZY_TLD/oidc/redirect
+      authorize_url: https://OIDC_IDP/auth/realms/cozy/protocol/openid-connect/auth
+      token_url: https://OIDC_IDP/auth/realms/cozy/protocol/openid-connect/token
+      userinfo_url: https://OIDC_IDP/auth/realms/cozy/protocol/openid-connect/userinfo
+      userinfo_instance_field: preferred_username
+      userinfo_instance_prefix:
+      userinfo_instance_suffix: .COZY_TLD
+      allow_oauth_token: false

create-instance.sh

@@ -2,19 +2,23 @@
 
 # creates an instance with the default apps and grand lyon apps installed
 
-if [ $# -ne 1 ]; then
-	echo "Usage: $0 <instance url>"
+if [ $# -lt 1 ]; then
+	echo "Usage: $0 <instance url> <oidc if instance should be oidc authenticated>"
 	exit 1
 fi
 INSTANCE_ID=$1
 
+if [ "$2" = "oidc" ]; then
+	OIDC_CONTEXT="--context-name open-id-connect"
+fi
+
 source .env
 
 TMPFILE=$(mktemp /tmp/cozyXXX)
 
 echo "Creating instance ${INSTANCE_ID}.${COZY_TLD} ..."
 
-docker-compose exec cozy ./cozy instances add --host 0.0.0.0 --apps drive,collect,settings,home "${INSTANCE_ID}.${COZY_TLD}" | tee "${TMPFILE}"
+docker-compose exec cozy ./cozy instances add $OIDC_CONTEXT --host 0.0.0.0 --apps drive,collect,settings,home "${INSTANCE_ID}.${COZY_TLD}" | tee "${TMPFILE}"
 
 # Install grand lyon apps
 docker-compose exec cozy ./cozy konnectors install enedis-scraping-connector --domain "${INSTANCE_ID}.${COZY_TLD}" file:///apps_sources/enedis-scraping-connector-build

docker-compose.yml

@@ -41,3 +41,16 @@ services:
         max-size: "1M"
         max-file: "10"
     restart: unless-stopped
+
+  keycloak:
+    image: jboss/keycloak:latest
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - ./keycloak:/tmp/kc
+    ports:
+      - 8090:8080
+    environment:
+      - KEYCLOAK_USER=admin
+      - KEYCLOAK_PASSWORD=admin
+      - KEYCLOAK_IMPORT=/tmp/kc/realm.json

env.template

@@ -15,3 +15,6 @@ EGL_BASE_URL=mybaseurl
 
 # The authentication key for EGL API
 EGL_API_AUTH_KEY=myapiauthkey
+
+# OIDC
+OIDC_IDP=my.oidc.idp.domain.com

generate-cozy-yaml.sh

+#!/bin/bash
+rm -f ./cozystack/cozy.yaml
+cp ./cozystack/cozy.yaml.template ./cozystack/cozy.yaml
+
+source .env
+
+sed -i "s/COZY_TLD/$COZY_TLD/g" ./cozystack/cozy.yaml
+sed -i "s/OIDC_IDP/$OIDC_IDP/g" ./cozystack/cozy.yaml

install.sh

@@ -17,7 +17,11 @@ sleep 15
 
 # database creation
 sudo ./init.sh
-# instance creation, replace nicolas by the name you want
-sudo ./create-instance.sh nicolas
+# config file generation
+sudo ./generate-cozy-yaml.sh
+# instance creation, replace demo by the name you want
+sudo ./create-instance.sh demo
+# oidc with keycloak instance creation
+sudo ./create-instance.sh demooidc oidc
 # insertion of the EGL api secrets in the database
 sudo ./egl-db-init.sh

keycloak/export_realm_and_users.sh

+#!/bin/bash
+docker-compose exec keycloak /opt/jboss/keycloak/bin/standalone.sh \
+    -Djboss.socket.binding.port-offset=100 \
+    -Dkeycloak.migration.action=export \
+    -Dkeycloak.migration.provider=singleFile \
+    -Dkeycloak.migration.realmName=cozy \
+    -Dkeycloak.migration.usersExportStrategy=REALM_FILE \
+    -Dkeycloak.migration.file=/tmp/kc/realm.json