79 lines
2.9 KiB
Markdown
79 lines
2.9 KiB
Markdown
# Authentication
|
|
|
|
Crust support a fixed set of standard OAuth 2 authentication providers
|
|
(facebook, gplus, github and linkedin) and a arbitrary number of custom
|
|
issuers (over OpenID Connect).
|
|
|
|
# Available settings
|
|
|
|
Settings for external providers are stored under keys
|
|
`auth.external.providers.<provider>.<prop>` and
|
|
`auth.external.providers.openid-connect.<provider>.<prop>`.
|
|
|
|
Prop is one of: `key`, `secret`, `enabled`. OIDC settings also have `issuer` prop.
|
|
|
|
Example settings (`system-cli settings list --prefix=auth.external`):
|
|
|
|
|
|
```
|
|
auth.external.callback-endpoint "https://your-crust-system-api-backend/auth/external/%s/callback"
|
|
auth.external.enabled true
|
|
auth.external.providers.facebook.enabled true
|
|
auth.external.providers.facebook.key "24226007270326"
|
|
auth.external.providers.facebook.secret "7vtfXx213cfc125804a226afcae777fe47"
|
|
auth.external.providers.gplus true
|
|
auth.external.providers.gplus.enabled true
|
|
auth.external.providers.gplus.key "10629818561-7a8vr0avs47dqic43h2lkrurhr.apps.googleusercontent.com"
|
|
auth.external.providers.gplus.secret "bkHmIFdk2YvtfXx"
|
|
auth.external.providers.github.enabled false
|
|
auth.external.providers.github.key null
|
|
auth.external.providers.github.secret null
|
|
auth.external.providers.linkedin.enabled false
|
|
auth.external.providers.linkedin.key null
|
|
auth.external.providers.linkedin.secret null
|
|
auth.external.providers.openid-connect.crust-iam.enabled true
|
|
auth.external.providers.openid-connect.crust-iam.key "tXM2ouiovowzGabk"
|
|
auth.external.providers.openid-connect.crust-iam.issuer "https://satosa.didmos.latest.crust.tech"
|
|
auth.external.providers.openid-connect.crust-iam.secret "e1d68bfd7718468ba8fd36131f5176b1"
|
|
auth.external.redirect-url "http://system.api.local.crust.tech:3002/auth/external/%s/callback"
|
|
auth.external.session-store-secret "fCVFSRWjVEcoYuhXSf3f6zVWO1p38XEWz2yS8WH7wKDbvpxFrZq7zlEuiUTvk4QF"
|
|
```
|
|
|
|
# Changing settings
|
|
|
|
Authentication settings can be changed in the administration (via the API) and with cli
|
|
command (`system-cli settings set <key> <value>`). Please bare in mind that values passed
|
|
to CLI tool must always be in raw JSON format.
|
|
|
|
Changing values requires system service restart.
|
|
|
|
On startup, you should see log entries similar to these:
|
|
```
|
|
initializing external authentication providers (3)
|
|
external authentication provider "facebook" added
|
|
external authentication provider "gplus" added
|
|
external authentication provider "openid-connect.crust-iam" added
|
|
```
|
|
|
|
|
|
# OIDC Auto discovery/configuration
|
|
|
|
Crust CLI comes with auto-discovery tool:
|
|
```bash
|
|
system-cli external-auth auto-discovery name url
|
|
```
|
|
|
|
```bash
|
|
system-cli external-auth auto-discovery crust-iam https://satosa.didmos.crust.example.tld
|
|
```
|
|
|
|
This will autodiscover and autoconfigure new OIDC provider.
|
|
If entry with this name already exists it will override it.
|
|
|
|
Please note that this provider is disabled by default.
|
|
|
|
To enable it, run:
|
|
```bash
|
|
system-cli settings key auth.external.providers.openid-connect.crust-iam.enabled true
|
|
```
|