* Managing Attributes::
* Sharing Attributes with Third Parties::
* Revoking Authorizations of Third Parties::
-* Using the OpenID-Connect IdP::
+* OpenID Connect::
@end menu
@node Managing Attributes
As such, only access to updated data in the future can be revoked.
This behaviour is _exactly the same_ as with other IdPs.
-@node Using the OpenID-Connect IdP
-@subsection Using the OpenID-Connect IdP
+@node OpenID Connect
+@subsection OpenID Connect
-@menu
-* Setting up reclaim.id::
-* For Users::
-* For Service Providers::
-@end menu
+There is an OpenID Connect API for use with reclaimID.
+However, its use is quite complicated to setup.
+As a proof-of-concept, you can look at https://gitlab.com/reclaimid.
-
-@node Setting up reclaim.id
-@subsubsection Setting up reclaim.id
+In the PoC and by convention for reclaimID, the OpenID Connect Endpoints are
+found at:
@example
-$ gnunet-identity -C id
-$ openssl genrsa -des3 -passout pass:xxxx -out server.pass.key 2048
-$ openssl rsa -passin pass:xxxx -in server.pass.key -out /etc/reclaim/reclaim.id.key
-$ rm server.pass.key
-$ openssl req -new -key /etc/reclaim/reclaim.id.key -out server.csr \
- -subj "/CN=reclaim.id.local"
-$ openssl x509 -req -days 365 -in server.csr -signkey /etc/reclaim/reclaim.id.key -out /etc/reclaim/reclaim.id.crt
-$ openssl x509 -in /etc/reclaim/reclaim.id.crt -out /etc/reclaim/reclaim.id.der -outform DER
-$ HEXCERT=`xxd -p /etc/reclaim/reclaim.id.der | tr -d '\n'`
-$ BOXVALUE="6 443 52 3 0 0 $HEXCERT"
-$ gnunet-namestore -z id -a -n reclaim -t A -V "127.0.0.1" -e 1d -p
-$ gnunet-namestore -z id -a -n reclaim -t LEHO -V "reclaim.id.local" -e 1d -p
-$ gnunet-namestore -z id -a -n reclaim -t BOX -V "$BOXVALUE" -e 1d -p
+http://api.reclaim/openid/authorize
+http://api.reclaim/openid/token
+http://api.reclaim/openid/userinfo
+http://api.reclaim/openid/login
@end example
-NGINX setup:
-@example
-server @{
- listen 443;
- server_name reclaim.id.local;
- ssl on;
- ssl_certificate /etc/reclaim/reclaim.id.crt;
- ssl_certificate_key /etc/reclaim/reclaim.id.key;
- ssl_session_timeout 30m;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_session_cache shared:SSL:10m;
-
- location /api @{
- rewrite /api/(.*) /$1 break;
- proxy_pass http://127.0.0.1:7776;
- @}
-@}
-@end example
-
-This will expose the REST API of GNUnet at https://reclaim.id/api.
-
-@node For Users
-@subsubsection For Users
-
-To use the OpenID Connect Identity Provider as an end user, you must first intall the User Interface from TODOINSERTURLHERE.
-
-Start the user interface using:
+The token endpoint is protected using HTTP basic authentication.
+You can authenticate using any username and the password configured under:
@example
-$ yarn run build --prod
+$ gnunet-config -s reclaim-rest-plugin -o PSW
@end example
-Now setup a webserver to serve the compiled website under "dist/".
-
-Now we can add the user interfce to our NGINX configuraiton:
+The authorize endpoint is protected using a Cookie which can be obtained through
+a request against the login endpoint.
+This flow is meant to be used in the context of the OpenID Connect authorization
+flow to collect user consent interactively.
+Without a Cookie, the authorize endpoint redirects to a URI configured under:
@example
-server @{
-...
- location / @{
- proxy_pass http://<whereever you serve the UI>;
- @}
-@}
+$ gnunet-config -s reclaim-rest-plugin -o ADDRESS
@end example
-You can thest your setup by accessing https://reclaim.id in your browser through the GNS proxy.
-
-@node For Service Providers
-@subsubsection For Service Providers
+Our PoC includes a user interface (https://gitlab.com/reclaimid) which
+integrates this process is an OpenID Connect compatible fashion.
-To setup an OpenID Connect client, it must first be registered.
-In reclaim, client registration is done by creating a client identity and adding the redirect URI and client description into its namespace:
-
-@example
-$ gnunet-identity -C <rp_name>
-$ gnunet-namestore -z <rp_name> -a -n "+" -t RECLAIM_OIDC_REDIRECT -V <redirect_uri> -e 1d -p
-$ gnunet-namestore -z <rp_name> -a -n "+" -t RECLAIM_OIDC_CLIENT -V "My OIDC Client" -e 1d -p
-@end example
+The token endpoint is protected using OAuth2 and expects the grant
+which is retrieved from the authorization endpoint according to the standard.
-You can now use the OpenID Connect REST endpoints exposed by reclaim.
-
-To request authorization from a user, your webapplication should initiate the OpenID Connect Authorization Flow like this:
-@example
-$ https://reclaim.id/openid/authorize?redirect_uri=<redirect_uri>&client_id=<RP_PKEY>&response_type=code&nonce=1234&scope=attribute1 attribute2 ...
-@end example
-
-You should choose a random number for the nonce parameter. The RP_KEY is the public key corresponding to the <rp_name> identity.
-
-The redirect URI is the URI that you expect the user to return to within the OpenID Connect authorization code flow.
-
-When the user returns to your redirect URI, you can exchange it for an access token at the OpenID Token endpoint.
-The authentication at the token endpoint is performed using the configured password (PSW) in the reclaim configuration (reclaim.conf). To set it execute:
-
-@example
-$ gnunet-config -s reclaim-rest-plugin -o PSW -V <secret>
-@end example
-
-To retrieve the access token, you can access the token endpoint through the proxy like this:
-
-@example
-$ curl --socks5-hostname 127.0.0.1:7777 \
- -X POST \
- https://reclaim.id/openid/token?grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<code> \
- -u <RP_KEY>:<secret>
-@end example
+The userinfo endpoint is protected using OAuth2 and expects a bearer access
+token which is retrieved from a token request.
-If successful, this will return a JSON object containing an ID Token and Access Token.
-The Access Token can be used to access the OpenID Connect userinfo endpoint:
+In order to create and register a client you need to execute the following
+steps:
@example
-$ curl --socks5-hostname 127.0.0.1:7777 \
- -X POST \
- https://reclaim.id/openid/userinfo\
- -H 'Authorization: Bearer <access_token>'
+$ gnunet-identity -C <client_name>
+$ gnunet-namestore -z <client_name> -a -n "@@" -t RECLAIM_OIDC_REDIRECT -V <redirect_uri> -e 1d -p
+$ gnunet-namestore -z <client_name> -a -n "@@" -t RECLAIM_OIDC_CLIENT -V "My OIDC Client" -e 1d -p
@end example
+The client_id will be the public key of the client.
+As a redirect URI, you may use any globally unique DNS or GNS URI.
+The client description will be displayed to the user on authorization.
@node Using the Virtual Public Network
src/arm/gnunet-arm.c
src/arm/gnunet-service-arm.c
src/arm/mockup-service.c
+src/ats-tests/ats-testing-experiment.c
+src/ats-tests/ats-testing-log.c
+src/ats-tests/ats-testing-preferences.c
+src/ats-tests/ats-testing-traffic.c
+src/ats-tests/ats-testing.c
+src/ats-tests/gnunet-ats-sim.c
+src/ats-tests/gnunet-solver-eval.c
+src/ats-tool/gnunet-ats.c
src/ats/ats_api2_application.c
src/ats/ats_api2_transport.c
src/ats/ats_api_connectivity.c
src/ats/ats_api_scanner.c
src/ats/ats_api_scheduling.c
src/ats/gnunet-ats-solver-eval.c
-src/ats/gnunet-service-ats_addresses.c
+src/ats/gnunet-service-ats-new.c
src/ats/gnunet-service-ats.c
+src/ats/gnunet-service-ats_addresses.c
src/ats/gnunet-service-ats_connectivity.c
-src/ats/gnunet-service-ats-new.c
src/ats/gnunet-service-ats_normalization.c
src/ats/gnunet-service-ats_performance.c
src/ats/gnunet-service-ats_plugins.c
src/ats/plugin_ats_mlp.c
src/ats/plugin_ats_proportional.c
src/ats/plugin_ats_ril.c
-src/ats-tests/ats-testing.c
-src/ats-tests/ats-testing-experiment.c
-src/ats-tests/ats-testing-log.c
-src/ats-tests/ats-testing-preferences.c
-src/ats-tests/ats-testing-traffic.c
-src/ats-tests/gnunet-ats-sim.c
-src/ats-tests/gnunet-solver-eval.c
-src/ats-tool/gnunet-ats.c
src/auction/gnunet-auction-create.c
src/auction/gnunet-auction-info.c
src/auction/gnunet-auction-join.c
src/cadet/cadet_api_list_tunnels.c
src/cadet/cadet_test_lib.c
src/cadet/desirability_table.c
-src/cadet/gnunet-cadet.c
src/cadet/gnunet-cadet-profiler.c
+src/cadet/gnunet-cadet.c
src/cadet/gnunet-service-cadet.c
src/cadet/gnunet-service-cadet_channel.c
src/cadet/gnunet-service-cadet_connection.c
src/consensus/plugin_block_consensus.c
src/conversation/conversation_api.c
src/conversation/conversation_api_call.c
-src/conversation/gnunet-conversation.c
src/conversation/gnunet-conversation-test.c
-src/conversation/gnunet_gst.c
-src/conversation/gnunet_gst_test.c
-src/conversation/gnunet-helper-audio-playback.c
+src/conversation/gnunet-conversation.c
src/conversation/gnunet-helper-audio-playback-gst.c
-src/conversation/gnunet-helper-audio-record.c
+src/conversation/gnunet-helper-audio-playback.c
src/conversation/gnunet-helper-audio-record-gst.c
+src/conversation/gnunet-helper-audio-record.c
src/conversation/gnunet-service-conversation.c
+src/conversation/gnunet_gst.c
+src/conversation/gnunet_gst_test.c
src/conversation/microphone.c
src/conversation/plugin_gnsrecord_conversation.c
src/conversation/speaker.c
src/dht/dht_test_lib.c
src/dht/gnunet-dht-get.c
src/dht/gnunet-dht-monitor.c
-src/dht/gnunet_dht_profiler.c
src/dht/gnunet-dht-put.c
src/dht/gnunet-service-dht.c
src/dht/gnunet-service-dht_clients.c
src/dht/gnunet-service-dht_neighbours.c
src/dht/gnunet-service-dht_nse.c
src/dht/gnunet-service-dht_routing.c
+src/dht/gnunet_dht_profiler.c
src/dht/plugin_block_dht.c
src/dns/dns_api.c
src/dns/gnunet-dns-monitor.c
src/dns/gnunet-zonewalk.c
src/dns/plugin_block_dns.c
src/exit/gnunet-daemon-exit.c
-src/exit/gnunet-helper-exit.c
src/exit/gnunet-helper-exit-windows.c
+src/exit/gnunet-helper-exit.c
src/fragmentation/defragmentation.c
src/fragmentation/fragmentation.c
src/fs/fs_api.c
src/fs/gnunet-daemon-fsprofiler.c
src/fs/gnunet-directory.c
src/fs/gnunet-download.c
-src/fs/gnunet-fs.c
src/fs/gnunet-fs-profiler.c
+src/fs/gnunet-fs.c
src/fs/gnunet-helper-fs-publish.c
src/fs/gnunet-publish.c
src/fs/gnunet-search.c
src/gns/gnunet-bcd.c
src/gns/gnunet-dns2gns.c
src/gns/gnunet-gns-benchmark.c
-src/gns/gnunet-gns.c
src/gns/gnunet-gns-helper-service-w32.c
src/gns/gnunet-gns-import.c
src/gns/gnunet-gns-proxy.c
+src/gns/gnunet-gns.c
src/gns/gnunet-service-gns.c
src/gns/gnunet-service-gns_interceptor.c
src/gns/gnunet-service-gns_resolver.c
src/gns/nss/nss_gns_query.c
src/gns/plugin_block_gns.c
src/gns/plugin_gnsrecord_gns.c
+src/gns/w32nsp-install.c
+src/gns/w32nsp-resolve.c
+src/gns/w32nsp-uninstall.c
+src/gns/w32nsp.c
src/gnsrecord/gnsrecord.c
src/gnsrecord/gnsrecord_crypto.c
src/gnsrecord/gnsrecord_misc.c
src/gnsrecord/gnsrecord_serialization.c
src/gnsrecord/plugin_gnsrecord_dns.c
-src/gns/w32nsp.c
-src/gns/w32nsp-install.c
-src/gns/w32nsp-resolve.c
-src/gns/w32nsp-uninstall.c
src/hello/address.c
src/hello/gnunet-hello.c
-src/hello/hello.c
src/hello/hello-ng.c
+src/hello/hello.c
src/hostlist/gnunet-daemon-hostlist.c
src/hostlist/gnunet-daemon-hostlist_client.c
src/hostlist/gnunet-daemon-hostlist_server.c
src/namecache/plugin_namecache_flat.c
src/namecache/plugin_namecache_postgres.c
src/namecache/plugin_namecache_sqlite.c
-src/namestore/gnunet-namestore.c
src/namestore/gnunet-namestore-fcfsd.c
+src/namestore/gnunet-namestore.c
src/namestore/gnunet-service-namestore.c
src/namestore/gnunet-zoneimport.c
src/namestore/namestore_api.c
src/nat-auto/gnunet-service-nat-auto_legacy.c
src/nat-auto/nat_auto_api.c
src/nat-auto/nat_auto_api_test.c
-src/nat/gnunet-helper-nat-client.c
src/nat/gnunet-helper-nat-client-windows.c
-src/nat/gnunet-helper-nat-server.c
+src/nat/gnunet-helper-nat-client.c
src/nat/gnunet-helper-nat-server-windows.c
+src/nat/gnunet-helper-nat-server.c
src/nat/gnunet-nat.c
src/nat/gnunet-service-nat.c
src/nat/gnunet-service-nat_externalip.c
src/nat/gnunet-service-nat_stun.c
src/nat/nat_api.c
src/nat/nat_api_stun.c
-src/nse/gnunet-nse.c
src/nse/gnunet-nse-profiler.c
+src/nse/gnunet-nse.c
src/nse/gnunet-service-nse.c
src/nse/nse_api.c
src/nt/nt.c
+src/peerinfo-tool/gnunet-peerinfo.c
+src/peerinfo-tool/gnunet-peerinfo_plugins.c
src/peerinfo/gnunet-service-peerinfo.c
src/peerinfo/peerinfo_api.c
src/peerinfo/peerinfo_api_notify.c
-src/peerinfo-tool/gnunet-peerinfo.c
-src/peerinfo-tool/gnunet-peerinfo_plugins.c
src/peerstore/gnunet-peerstore.c
src/peerstore/gnunet-service-peerstore.c
src/peerstore/peerstore_api.c
src/regex/regex_test_graph.c
src/regex/regex_test_lib.c
src/regex/regex_test_random.c
-src/rest/gnunet-rest-server.c
src/rest-plugins/json_reclaim.c
src/rest-plugins/oidc_helper.c
src/rest-plugins/plugin_rest_copying.c
src/rest-plugins/plugin_rest_openid_connect.c
src/rest-plugins/plugin_rest_peerinfo.c
src/rest-plugins/plugin_rest_reclaim.c
+src/rest/gnunet-rest-server.c
src/rest/rest.c
src/revocation/gnunet-revocation.c
src/revocation/gnunet-service-revocation.c
src/revocation/plugin_block_revocation.c
src/revocation/revocation_api.c
-src/rps/gnunet-rps.c
src/rps/gnunet-rps-profiler.c
+src/rps/gnunet-rps.c
src/rps/gnunet-service-rps.c
src/rps/gnunet-service-rps_custommap.c
src/rps/gnunet-service-rps_sampler.c
src/rps/gnunet-service-rps_sampler_elem.c
src/rps/gnunet-service-rps_view.c
-src/rps/rps_api.c
src/rps/rps-sampler_client.c
src/rps/rps-sampler_common.c
src/rps/rps-test_util.c
+src/rps/rps_api.c
src/scalarproduct/gnunet-scalarproduct.c
-src/scalarproduct/gnunet-service-scalarproduct_alice.c
-src/scalarproduct/gnunet-service-scalarproduct_bob.c
src/scalarproduct/gnunet-service-scalarproduct-ecc_alice.c
src/scalarproduct/gnunet-service-scalarproduct-ecc_bob.c
+src/scalarproduct/gnunet-service-scalarproduct_alice.c
+src/scalarproduct/gnunet-service-scalarproduct_bob.c
src/scalarproduct/scalarproduct_api.c
src/secretsharing/gnunet-secretsharing-profiler.c
src/secretsharing/gnunet-service-secretsharing.c
src/statistics/statistics_api.c
src/template/gnunet-service-template.c
src/template/gnunet-template.c
+src/testbed-logger/gnunet-service-testbed-logger.c
+src/testbed-logger/testbed_logger_api.c
src/testbed/generate-underlay-topology.c
src/testbed/gnunet-daemon-latency-logger.c
src/testbed/gnunet-daemon-testbed-blacklist.c
src/testbed/gnunet-daemon-testbed-underlay.c
src/testbed/gnunet-helper-testbed.c
-src/testbed/gnunet_mpi_test.c
src/testbed/gnunet-service-test-barriers.c
-src/testbed/gnunet-service-testbed_barriers.c
src/testbed/gnunet-service-testbed.c
+src/testbed/gnunet-service-testbed_barriers.c
src/testbed/gnunet-service-testbed_cache.c
src/testbed/gnunet-service-testbed_connectionpool.c
src/testbed/gnunet-service-testbed_cpustatus.c
src/testbed/gnunet-service-testbed_meminfo.c
src/testbed/gnunet-service-testbed_oc.c
src/testbed/gnunet-service-testbed_peers.c
-src/testbed/gnunet_testbed_mpi_spawn.c
src/testbed/gnunet-testbed-profiler.c
-src/testbed-logger/gnunet-service-testbed-logger.c
-src/testbed-logger/testbed_logger_api.c
-src/testbed/testbed_api_barriers.c
+src/testbed/gnunet_mpi_test.c
+src/testbed/gnunet_testbed_mpi_spawn.c
src/testbed/testbed_api.c
+src/testbed/testbed_api_barriers.c
src/testbed/testbed_api_hosts.c
src/testbed/testbed_api_operations.c
src/testbed/testbed_api_peers.c
src/testbed/testbed_api_sd.c
src/testbed/testbed_api_services.c
src/testbed/testbed_api_statistics.c
-src/testbed/testbed_api_testbed.c
src/testbed/testbed_api_test.c
+src/testbed/testbed_api_testbed.c
src/testbed/testbed_api_topology.c
src/testbed/testbed_api_underlay.c
src/testing/gnunet-testing.c
src/transport/gnunet-communicator-udp.c
src/transport/gnunet-communicator-unix.c
src/transport/gnunet-helper-transport-bluetooth.c
-src/transport/gnunet-helper-transport-wlan.c
src/transport/gnunet-helper-transport-wlan-dummy.c
+src/transport/gnunet-helper-transport-wlan.c
src/transport/gnunet-service-tng.c
-src/transport/gnunet-service-transport_ats.c
src/transport/gnunet-service-transport.c
+src/transport/gnunet-service-transport_ats.c
src/transport/gnunet-service-transport_hello.c
src/transport/gnunet-service-transport_manipulation.c
src/transport/gnunet-service-transport_neighbours.c
src/transport/gnunet-service-transport_plugins.c
src/transport/gnunet-service-transport_validation.c
-src/transport/gnunet-transport.c
src/transport/gnunet-transport-certificate-creation.c
src/transport/gnunet-transport-profiler.c
src/transport/gnunet-transport-wlan-receiver.c
src/transport/gnunet-transport-wlan-sender.c
+src/transport/gnunet-transport.c
src/transport/plugin_transport_http_client.c
src/transport/plugin_transport_http_common.c
src/transport/plugin_transport_http_server.c
src/transport/plugin_transport_smtp.c
src/transport/plugin_transport_tcp.c
src/transport/plugin_transport_template.c
-src/transport/plugin_transport_udp_broadcasting.c
src/transport/plugin_transport_udp.c
+src/transport/plugin_transport_udp_broadcasting.c
src/transport/plugin_transport_unix.c
src/transport/plugin_transport_wlan.c
src/transport/plugin_transport_xt.c
src/transport/tcp_server_legacy.c
src/transport/tcp_server_mst_legacy.c
src/transport/tcp_service_legacy.c
+src/transport/transport-testing-filenames.c
+src/transport/transport-testing-loggers.c
+src/transport/transport-testing-main.c
+src/transport/transport-testing-send.c
+src/transport/transport-testing.c
src/transport/transport_api2_address.c
src/transport/transport_api2_communication.c
src/transport/transport_api2_core.c
src/transport/transport_api_monitor_peers.c
src/transport/transport_api_monitor_plugins.c
src/transport/transport_api_offer_hello.c
-src/transport/transport-testing.c
-src/transport/transport-testing-filenames.c
-src/transport/transport-testing-loggers.c
-src/transport/transport-testing-main.c
-src/transport/transport-testing-send.c
src/util/bandwidth.c
src/util/benchmark.c
src/util/bio.c
src/util/container_bloomfilter.c
src/util/container_heap.c
src/util/container_meta_data.c
-src/util/container_multihashmap32.c
src/util/container_multihashmap.c
+src/util/container_multihashmap32.c
src/util/container_multipeermap.c
src/util/container_multishortmap.c
src/util/crypto_abe.c
src/util/dnsstub.c
src/util/getopt.c
src/util/getopt_helpers.c
-src/util/gnunet-config.c
src/util/gnunet-config-diff.c
+src/util/gnunet-config.c
src/util/gnunet-ecc.c
src/util/gnunet-helper-w32-console.c
src/util/gnunet-resolver.c
src/util/gnunet-scrypt.c
src/util/gnunet-service-resolver.c
-src/util/gnunet-timeout.c
src/util/gnunet-timeout-w32.c
+src/util/gnunet-timeout.c
src/util/gnunet-uri.c
src/util/helper.c
src/util/load.c
src/util/w32cat.c
src/util/win.c
src/util/winproc.c
-src/vpn/gnunet-helper-vpn.c
src/vpn/gnunet-helper-vpn-windows.c
+src/vpn/gnunet-helper-vpn.c
src/vpn/gnunet-service-vpn.c
src/vpn/gnunet-vpn.c
src/vpn/vpn_api.c
-src/zonemaster/gnunet-service-zonemaster.c
src/zonemaster/gnunet-service-zonemaster-monitor.c
+src/zonemaster/gnunet-service-zonemaster.c
src/fs/fs_api.h
src/include/compat.h
src/include/gnunet_common.h
projects / oweals / gnunet.git / commitdiff