This section describes how to setup a test environment locally with Docker Compose.
WARNING: THIS IS FOR TEST PURPOSES ONLY! DO NOT USE THIS IN PRODUCTION!!!
In your Linux bash, clone this repository to your home directory:
git clone https://github.com/JonasPrimbs/oidc-e2ea-server.gitNow navigate to the cloned directory:
cd oidc-e2ea-serverExecute the following command:
bash ./generate-secrets.shThis will randomly generate all usernames, passwords, and private keys which are unique for your installation and store them in the new directory .secrets/ and a .env file in the repository.
Go to the generated /.env file and configure the following parameters:
OP_HOST=<your-hostname>the host/domain name of your server. Default isop.localhost.
For a local deployment, you can leave these settings at default.
Start up your OpenID Provider for the first time using the following command:
docker compose up -d opThis might take a while to download all related container images.
This section describes how to setup the Keycloak OpenID Provider to make it ready to issue ID Assertion Tokens.
Open your browser and go to http://<your-hostname>/admin/ where <your-hostname> is your configured hostname.
By default, this is http://op.localhost/admin.
Then sign in with the credentials generated in the following files:
- Username:
/.secrets/op_username.txt - Password:
/.secrets/op_password.txt
If you experience a Bad Gateway error, wait for up to one minute until you Keycloak instance is ready!
On the top left, click the dropdown menu and select the realm ict:
Import the generated private key as follows:
-
Go to Configure > Realm settings > Keys > Providers.
-
In Add provider, select the option rsa.
-
In field Private RSA Key, select Browse... and select the generate
private.pemprivate key file in the/.secrets/directory of the cloned repository. -
Click Save to store the changes.
-
Go to the file
/.secrets/ict.env. -
Copy the Kid of your newly generated key of Type
rsafrom Configure > Realm settings > Keys > Key list.
-
Paste the copied Kid parameter to the
/.secrets/ict.envfile as value for the keyKID, e.g.:
KID=GFSKUd9yi3LiQhT6HKuU4IOymufp_OIIlG8DmGa8hvsCreate a new test user as follows:
-
Go to Manage > Users > User list > Create new user.
-
Insert at least a Username.
-
Create the user.
-
In the tab Credentials, click Set password.
-
Insert a Password, repeat it in Password confirmation, and set Temporary to
off. Then click Save.
-
Confirm the dialog by clicking Save password.
To introspect the Access Token from the Authorization Server, the ICT Endpoint must be registered at the Authorization Server as follows:
- Go to Clients > Client list > ict_endpoint > Credentials.
- Regenerate the Client secret and copy it to clipboard.
- Open a HTTP Basic Authentication Header Generator.
- As Username, insert
ict_endpoint. - As Password, paste the Client secret.
- Generate the Basic Auth header and copy the header value (e.g.,
Basic aWN0X2VuZHBvaW50OjhjOHY2aGRhZ3c5ZXRTOFVMYVdVZ1dhT2ZUNWpKTzNa). - Paste this value to the
/.envfile in theICT_CREDENTIALSvariable
Example:
ICT_CREDENTIALS="Basic aWN0X2VuZHBvaW50OjhjOHY2aGRhZ3c5ZXRTOFVMYVdVZ1dhT2ZUNWpKTzNa"`This step depends on your intention why you run this deployment.
- Testing: Choose this mode if you want to just run the deployment for testing purposes.
- Development: Choose this mode if you want to change the implementation of the ICT endpoint application.
Do this step only if you want to run this deployment for testing purposes!
- Go to
/docker-compose.yaml. - Uncomment line 65 (
imageattribute in serviceict). - Comment line 68 to 70 (
buildattribute in serviceict).
Do this step only if you want to run this deployment for development purposes!
- Go to
/docker-compose.yaml. - Comment line 65 (
imageattribute in serviceict). - Uncomment line 68 to 70 (
buildattribute in serviceict).
Stop the infrastructure with the following command:
docker compose downAnd start it again:
docker compose up -dDefault username in Authentik is akadmin.