From b57459d70dc56b7f0e5c50f86e33a1c40600f073 Mon Sep 17 00:00:00 2001 From: "Schanzenbach, Martin" Date: Sat, 23 Feb 2019 19:36:33 +0100 Subject: [PATCH] update reclaimID docs a bit --- doc/handbook/chapters/user.texi | 140 ++++++++------------------------ po/POTFILES.in | 114 +++++++++++++------------- 2 files changed, 92 insertions(+), 162 deletions(-) diff --git a/doc/handbook/chapters/user.texi b/doc/handbook/chapters/user.texi index 3f99be7a8..f6fb2424e 100644 --- a/doc/handbook/chapters/user.texi +++ b/doc/handbook/chapters/user.texi @@ -1991,7 +1991,7 @@ Like other IdPs, reclaimID features an (optional) OpenID-Connect 1.0-compliant p * Managing Attributes:: * Sharing Attributes with Third Parties:: * Revoking Authorizations of Third Parties:: -* Using the OpenID-Connect IdP:: +* OpenID Connect:: @end menu @node Managing Attributes @@ -2066,131 +2066,61 @@ Please note that if the third party has previously accessed the attribute, there As such, only access to updated data in the future can be revoked. This behaviour is _exactly the same_ as with other IdPs. -@node Using the OpenID-Connect IdP -@subsection Using the OpenID-Connect IdP +@node OpenID Connect +@subsection OpenID Connect -@menu -* Setting up reclaim.id:: -* For Users:: -* For Service Providers:: -@end menu +There is an OpenID Connect API for use with reclaimID. +However, its use is quite complicated to setup. +As a proof-of-concept, you can look at https://gitlab.com/reclaimid. - -@node Setting up reclaim.id -@subsubsection Setting up reclaim.id +In the PoC and by convention for reclaimID, the OpenID Connect Endpoints are +found at: @example -$ gnunet-identity -C id -$ openssl genrsa -des3 -passout pass:xxxx -out server.pass.key 2048 -$ openssl rsa -passin pass:xxxx -in server.pass.key -out /etc/reclaim/reclaim.id.key -$ rm server.pass.key -$ openssl req -new -key /etc/reclaim/reclaim.id.key -out server.csr \ - -subj "/CN=reclaim.id.local" -$ openssl x509 -req -days 365 -in server.csr -signkey /etc/reclaim/reclaim.id.key -out /etc/reclaim/reclaim.id.crt -$ openssl x509 -in /etc/reclaim/reclaim.id.crt -out /etc/reclaim/reclaim.id.der -outform DER -$ HEXCERT=`xxd -p /etc/reclaim/reclaim.id.der | tr -d '\n'` -$ BOXVALUE="6 443 52 3 0 0 $HEXCERT" -$ gnunet-namestore -z id -a -n reclaim -t A -V "127.0.0.1" -e 1d -p -$ gnunet-namestore -z id -a -n reclaim -t LEHO -V "reclaim.id.local" -e 1d -p -$ gnunet-namestore -z id -a -n reclaim -t BOX -V "$BOXVALUE" -e 1d -p +http://api.reclaim/openid/authorize +http://api.reclaim/openid/token +http://api.reclaim/openid/userinfo +http://api.reclaim/openid/login @end example -NGINX setup: -@example -server @{ - listen 443; - server_name reclaim.id.local; - ssl on; - ssl_certificate /etc/reclaim/reclaim.id.crt; - ssl_certificate_key /etc/reclaim/reclaim.id.key; - ssl_session_timeout 30m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_session_cache shared:SSL:10m; - - location /api @{ - rewrite /api/(.*) /$1 break; - proxy_pass http://127.0.0.1:7776; - @} -@} -@end example - -This will expose the REST API of GNUnet at https://reclaim.id/api. - -@node For Users -@subsubsection For Users - -To use the OpenID Connect Identity Provider as an end user, you must first intall the User Interface from TODOINSERTURLHERE. - -Start the user interface using: +The token endpoint is protected using HTTP basic authentication. +You can authenticate using any username and the password configured under: @example -$ yarn run build --prod +$ gnunet-config -s reclaim-rest-plugin -o PSW @end example -Now setup a webserver to serve the compiled website under "dist/". - -Now we can add the user interfce to our NGINX configuraiton: +The authorize endpoint is protected using a Cookie which can be obtained through +a request against the login endpoint. +This flow is meant to be used in the context of the OpenID Connect authorization +flow to collect user consent interactively. +Without a Cookie, the authorize endpoint redirects to a URI configured under: @example -server @{ -... - location / @{ - proxy_pass http://; - @} -@} +$ gnunet-config -s reclaim-rest-plugin -o ADDRESS @end example -You can thest your setup by accessing https://reclaim.id in your browser through the GNS proxy. - -@node For Service Providers -@subsubsection For Service Providers +Our PoC includes a user interface (https://gitlab.com/reclaimid) which +integrates this process is an OpenID Connect compatible fashion. -To setup an OpenID Connect client, it must first be registered. -In reclaim, client registration is done by creating a client identity and adding the redirect URI and client description into its namespace: - -@example -$ gnunet-identity -C -$ gnunet-namestore -z -a -n "+" -t RECLAIM_OIDC_REDIRECT -V -e 1d -p -$ gnunet-namestore -z -a -n "+" -t RECLAIM_OIDC_CLIENT -V "My OIDC Client" -e 1d -p -@end example +The token endpoint is protected using OAuth2 and expects the grant +which is retrieved from the authorization endpoint according to the standard. -You can now use the OpenID Connect REST endpoints exposed by reclaim. - -To request authorization from a user, your webapplication should initiate the OpenID Connect Authorization Flow like this: -@example -$ https://reclaim.id/openid/authorize?redirect_uri=&client_id=&response_type=code&nonce=1234&scope=attribute1 attribute2 ... -@end example - -You should choose a random number for the nonce parameter. The RP_KEY is the public key corresponding to the identity. - -The redirect URI is the URI that you expect the user to return to within the OpenID Connect authorization code flow. - -When the user returns to your redirect URI, you can exchange it for an access token at the OpenID Token endpoint. -The authentication at the token endpoint is performed using the configured password (PSW) in the reclaim configuration (reclaim.conf). To set it execute: - -@example -$ gnunet-config -s reclaim-rest-plugin -o PSW -V -@end example - -To retrieve the access token, you can access the token endpoint through the proxy like this: - -@example -$ curl --socks5-hostname 127.0.0.1:7777 \ - -X POST \ - https://reclaim.id/openid/token?grant_type=authorization_code&redirect_uri=&code= \ - -u : -@end example +The userinfo endpoint is protected using OAuth2 and expects a bearer access +token which is retrieved from a token request. -If successful, this will return a JSON object containing an ID Token and Access Token. -The Access Token can be used to access the OpenID Connect userinfo endpoint: +In order to create and register a client you need to execute the following +steps: @example -$ curl --socks5-hostname 127.0.0.1:7777 \ - -X POST \ - https://reclaim.id/openid/userinfo\ - -H 'Authorization: Bearer ' +$ gnunet-identity -C +$ gnunet-namestore -z -a -n "@@" -t RECLAIM_OIDC_REDIRECT -V -e 1d -p +$ gnunet-namestore -z -a -n "@@" -t RECLAIM_OIDC_CLIENT -V "My OIDC Client" -e 1d -p @end example +The client_id will be the public key of the client. +As a redirect URI, you may use any globally unique DNS or GNS URI. +The client description will be displayed to the user on authorization. @node Using the Virtual Public Network diff --git a/po/POTFILES.in b/po/POTFILES.in index 0d4569514..09e4c533d 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -4,6 +4,14 @@ src/arm/arm_monitor_api.c src/arm/gnunet-arm.c src/arm/gnunet-service-arm.c src/arm/mockup-service.c +src/ats-tests/ats-testing-experiment.c +src/ats-tests/ats-testing-log.c +src/ats-tests/ats-testing-preferences.c +src/ats-tests/ats-testing-traffic.c +src/ats-tests/ats-testing.c +src/ats-tests/gnunet-ats-sim.c +src/ats-tests/gnunet-solver-eval.c +src/ats-tool/gnunet-ats.c src/ats/ats_api2_application.c src/ats/ats_api2_transport.c src/ats/ats_api_connectivity.c @@ -11,10 +19,10 @@ src/ats/ats_api_performance.c src/ats/ats_api_scanner.c src/ats/ats_api_scheduling.c src/ats/gnunet-ats-solver-eval.c -src/ats/gnunet-service-ats_addresses.c +src/ats/gnunet-service-ats-new.c src/ats/gnunet-service-ats.c +src/ats/gnunet-service-ats_addresses.c src/ats/gnunet-service-ats_connectivity.c -src/ats/gnunet-service-ats-new.c src/ats/gnunet-service-ats_normalization.c src/ats/gnunet-service-ats_performance.c src/ats/gnunet-service-ats_plugins.c @@ -26,14 +34,6 @@ src/ats/plugin_ats2_simple.c src/ats/plugin_ats_mlp.c src/ats/plugin_ats_proportional.c src/ats/plugin_ats_ril.c -src/ats-tests/ats-testing.c -src/ats-tests/ats-testing-experiment.c -src/ats-tests/ats-testing-log.c -src/ats-tests/ats-testing-preferences.c -src/ats-tests/ats-testing-traffic.c -src/ats-tests/gnunet-ats-sim.c -src/ats-tests/gnunet-solver-eval.c -src/ats-tool/gnunet-ats.c src/auction/gnunet-auction-create.c src/auction/gnunet-auction-info.c src/auction/gnunet-auction-join.c @@ -50,8 +50,8 @@ src/cadet/cadet_api_list_peers.c src/cadet/cadet_api_list_tunnels.c src/cadet/cadet_test_lib.c src/cadet/desirability_table.c -src/cadet/gnunet-cadet.c src/cadet/gnunet-cadet-profiler.c +src/cadet/gnunet-cadet.c src/cadet/gnunet-service-cadet.c src/cadet/gnunet-service-cadet_channel.c src/cadet/gnunet-service-cadet_connection.c @@ -67,15 +67,15 @@ src/consensus/gnunet-service-consensus.c src/consensus/plugin_block_consensus.c src/conversation/conversation_api.c src/conversation/conversation_api_call.c -src/conversation/gnunet-conversation.c src/conversation/gnunet-conversation-test.c -src/conversation/gnunet_gst.c -src/conversation/gnunet_gst_test.c -src/conversation/gnunet-helper-audio-playback.c +src/conversation/gnunet-conversation.c src/conversation/gnunet-helper-audio-playback-gst.c -src/conversation/gnunet-helper-audio-record.c +src/conversation/gnunet-helper-audio-playback.c src/conversation/gnunet-helper-audio-record-gst.c +src/conversation/gnunet-helper-audio-record.c src/conversation/gnunet-service-conversation.c +src/conversation/gnunet_gst.c +src/conversation/gnunet_gst_test.c src/conversation/microphone.c src/conversation/plugin_gnsrecord_conversation.c src/conversation/speaker.c @@ -111,7 +111,6 @@ src/dht/dht_api.c src/dht/dht_test_lib.c src/dht/gnunet-dht-get.c src/dht/gnunet-dht-monitor.c -src/dht/gnunet_dht_profiler.c src/dht/gnunet-dht-put.c src/dht/gnunet-service-dht.c src/dht/gnunet-service-dht_clients.c @@ -120,6 +119,7 @@ src/dht/gnunet-service-dht_hello.c src/dht/gnunet-service-dht_neighbours.c src/dht/gnunet-service-dht_nse.c src/dht/gnunet-service-dht_routing.c +src/dht/gnunet_dht_profiler.c src/dht/plugin_block_dht.c src/dns/dns_api.c src/dns/gnunet-dns-monitor.c @@ -129,8 +129,8 @@ src/dns/gnunet-service-dns.c src/dns/gnunet-zonewalk.c src/dns/plugin_block_dns.c src/exit/gnunet-daemon-exit.c -src/exit/gnunet-helper-exit.c src/exit/gnunet-helper-exit-windows.c +src/exit/gnunet-helper-exit.c src/fragmentation/defragmentation.c src/fragmentation/fragmentation.c src/fs/fs_api.c @@ -155,8 +155,8 @@ src/fs/gnunet-auto-share.c src/fs/gnunet-daemon-fsprofiler.c src/fs/gnunet-directory.c src/fs/gnunet-download.c -src/fs/gnunet-fs.c src/fs/gnunet-fs-profiler.c +src/fs/gnunet-fs.c src/fs/gnunet-helper-fs-publish.c src/fs/gnunet-publish.c src/fs/gnunet-search.c @@ -176,10 +176,10 @@ src/gns/gns_tld_api.c src/gns/gnunet-bcd.c src/gns/gnunet-dns2gns.c src/gns/gnunet-gns-benchmark.c -src/gns/gnunet-gns.c src/gns/gnunet-gns-helper-service-w32.c src/gns/gnunet-gns-import.c src/gns/gnunet-gns-proxy.c +src/gns/gnunet-gns.c src/gns/gnunet-service-gns.c src/gns/gnunet-service-gns_interceptor.c src/gns/gnunet-service-gns_resolver.c @@ -187,19 +187,19 @@ src/gns/nss/nss_gns.c src/gns/nss/nss_gns_query.c src/gns/plugin_block_gns.c src/gns/plugin_gnsrecord_gns.c +src/gns/w32nsp-install.c +src/gns/w32nsp-resolve.c +src/gns/w32nsp-uninstall.c +src/gns/w32nsp.c src/gnsrecord/gnsrecord.c src/gnsrecord/gnsrecord_crypto.c src/gnsrecord/gnsrecord_misc.c src/gnsrecord/gnsrecord_serialization.c src/gnsrecord/plugin_gnsrecord_dns.c -src/gns/w32nsp.c -src/gns/w32nsp-install.c -src/gns/w32nsp-resolve.c -src/gns/w32nsp-uninstall.c src/hello/address.c src/hello/gnunet-hello.c -src/hello/hello.c src/hello/hello-ng.c +src/hello/hello.c src/hostlist/gnunet-daemon-hostlist.c src/hostlist/gnunet-daemon-hostlist_client.c src/hostlist/gnunet-daemon-hostlist_server.c @@ -222,8 +222,8 @@ src/namecache/namecache_api.c src/namecache/plugin_namecache_flat.c src/namecache/plugin_namecache_postgres.c src/namecache/plugin_namecache_sqlite.c -src/namestore/gnunet-namestore.c src/namestore/gnunet-namestore-fcfsd.c +src/namestore/gnunet-namestore.c src/namestore/gnunet-service-namestore.c src/namestore/gnunet-zoneimport.c src/namestore/namestore_api.c @@ -238,10 +238,10 @@ src/nat-auto/gnunet-service-nat-auto.c src/nat-auto/gnunet-service-nat-auto_legacy.c src/nat-auto/nat_auto_api.c src/nat-auto/nat_auto_api_test.c -src/nat/gnunet-helper-nat-client.c src/nat/gnunet-helper-nat-client-windows.c -src/nat/gnunet-helper-nat-server.c +src/nat/gnunet-helper-nat-client.c src/nat/gnunet-helper-nat-server-windows.c +src/nat/gnunet-helper-nat-server.c src/nat/gnunet-nat.c src/nat/gnunet-service-nat.c src/nat/gnunet-service-nat_externalip.c @@ -250,16 +250,16 @@ src/nat/gnunet-service-nat_mini.c src/nat/gnunet-service-nat_stun.c src/nat/nat_api.c src/nat/nat_api_stun.c -src/nse/gnunet-nse.c src/nse/gnunet-nse-profiler.c +src/nse/gnunet-nse.c src/nse/gnunet-service-nse.c src/nse/nse_api.c src/nt/nt.c +src/peerinfo-tool/gnunet-peerinfo.c +src/peerinfo-tool/gnunet-peerinfo_plugins.c src/peerinfo/gnunet-service-peerinfo.c src/peerinfo/peerinfo_api.c src/peerinfo/peerinfo_api_notify.c -src/peerinfo-tool/gnunet-peerinfo.c -src/peerinfo-tool/gnunet-peerinfo_plugins.c src/peerstore/gnunet-peerstore.c src/peerstore/gnunet-service-peerstore.c src/peerstore/peerstore_api.c @@ -295,7 +295,6 @@ src/regex/regex_internal_dht.c src/regex/regex_test_graph.c src/regex/regex_test_lib.c src/regex/regex_test_random.c -src/rest/gnunet-rest-server.c src/rest-plugins/json_reclaim.c src/rest-plugins/oidc_helper.c src/rest-plugins/plugin_rest_copying.c @@ -306,27 +305,28 @@ src/rest-plugins/plugin_rest_namestore.c src/rest-plugins/plugin_rest_openid_connect.c src/rest-plugins/plugin_rest_peerinfo.c src/rest-plugins/plugin_rest_reclaim.c +src/rest/gnunet-rest-server.c src/rest/rest.c src/revocation/gnunet-revocation.c src/revocation/gnunet-service-revocation.c src/revocation/plugin_block_revocation.c src/revocation/revocation_api.c -src/rps/gnunet-rps.c src/rps/gnunet-rps-profiler.c +src/rps/gnunet-rps.c src/rps/gnunet-service-rps.c src/rps/gnunet-service-rps_custommap.c src/rps/gnunet-service-rps_sampler.c src/rps/gnunet-service-rps_sampler_elem.c src/rps/gnunet-service-rps_view.c -src/rps/rps_api.c src/rps/rps-sampler_client.c src/rps/rps-sampler_common.c src/rps/rps-test_util.c +src/rps/rps_api.c src/scalarproduct/gnunet-scalarproduct.c -src/scalarproduct/gnunet-service-scalarproduct_alice.c -src/scalarproduct/gnunet-service-scalarproduct_bob.c src/scalarproduct/gnunet-service-scalarproduct-ecc_alice.c src/scalarproduct/gnunet-service-scalarproduct-ecc_bob.c +src/scalarproduct/gnunet-service-scalarproduct_alice.c +src/scalarproduct/gnunet-service-scalarproduct_bob.c src/scalarproduct/scalarproduct_api.c src/secretsharing/gnunet-secretsharing-profiler.c src/secretsharing/gnunet-service-secretsharing.c @@ -352,15 +352,16 @@ src/statistics/gnunet-statistics.c src/statistics/statistics_api.c src/template/gnunet-service-template.c src/template/gnunet-template.c +src/testbed-logger/gnunet-service-testbed-logger.c +src/testbed-logger/testbed_logger_api.c src/testbed/generate-underlay-topology.c src/testbed/gnunet-daemon-latency-logger.c src/testbed/gnunet-daemon-testbed-blacklist.c src/testbed/gnunet-daemon-testbed-underlay.c src/testbed/gnunet-helper-testbed.c -src/testbed/gnunet_mpi_test.c src/testbed/gnunet-service-test-barriers.c -src/testbed/gnunet-service-testbed_barriers.c src/testbed/gnunet-service-testbed.c +src/testbed/gnunet-service-testbed_barriers.c src/testbed/gnunet-service-testbed_cache.c src/testbed/gnunet-service-testbed_connectionpool.c src/testbed/gnunet-service-testbed_cpustatus.c @@ -368,20 +369,19 @@ src/testbed/gnunet-service-testbed_links.c src/testbed/gnunet-service-testbed_meminfo.c src/testbed/gnunet-service-testbed_oc.c src/testbed/gnunet-service-testbed_peers.c -src/testbed/gnunet_testbed_mpi_spawn.c src/testbed/gnunet-testbed-profiler.c -src/testbed-logger/gnunet-service-testbed-logger.c -src/testbed-logger/testbed_logger_api.c -src/testbed/testbed_api_barriers.c +src/testbed/gnunet_mpi_test.c +src/testbed/gnunet_testbed_mpi_spawn.c src/testbed/testbed_api.c +src/testbed/testbed_api_barriers.c src/testbed/testbed_api_hosts.c src/testbed/testbed_api_operations.c src/testbed/testbed_api_peers.c src/testbed/testbed_api_sd.c src/testbed/testbed_api_services.c src/testbed/testbed_api_statistics.c -src/testbed/testbed_api_testbed.c src/testbed/testbed_api_test.c +src/testbed/testbed_api_testbed.c src/testbed/testbed_api_topology.c src/testbed/testbed_api_underlay.c src/testing/gnunet-testing.c @@ -393,29 +393,29 @@ src/transport/gnunet-communicator-tcp.c src/transport/gnunet-communicator-udp.c src/transport/gnunet-communicator-unix.c src/transport/gnunet-helper-transport-bluetooth.c -src/transport/gnunet-helper-transport-wlan.c src/transport/gnunet-helper-transport-wlan-dummy.c +src/transport/gnunet-helper-transport-wlan.c src/transport/gnunet-service-tng.c -src/transport/gnunet-service-transport_ats.c src/transport/gnunet-service-transport.c +src/transport/gnunet-service-transport_ats.c src/transport/gnunet-service-transport_hello.c src/transport/gnunet-service-transport_manipulation.c src/transport/gnunet-service-transport_neighbours.c src/transport/gnunet-service-transport_plugins.c src/transport/gnunet-service-transport_validation.c -src/transport/gnunet-transport.c src/transport/gnunet-transport-certificate-creation.c src/transport/gnunet-transport-profiler.c src/transport/gnunet-transport-wlan-receiver.c src/transport/gnunet-transport-wlan-sender.c +src/transport/gnunet-transport.c src/transport/plugin_transport_http_client.c src/transport/plugin_transport_http_common.c src/transport/plugin_transport_http_server.c src/transport/plugin_transport_smtp.c src/transport/plugin_transport_tcp.c src/transport/plugin_transport_template.c -src/transport/plugin_transport_udp_broadcasting.c src/transport/plugin_transport_udp.c +src/transport/plugin_transport_udp_broadcasting.c src/transport/plugin_transport_unix.c src/transport/plugin_transport_wlan.c src/transport/plugin_transport_xt.c @@ -424,6 +424,11 @@ src/transport/tcp_connection_legacy.c src/transport/tcp_server_legacy.c src/transport/tcp_server_mst_legacy.c src/transport/tcp_service_legacy.c +src/transport/transport-testing-filenames.c +src/transport/transport-testing-loggers.c +src/transport/transport-testing-main.c +src/transport/transport-testing-send.c +src/transport/transport-testing.c src/transport/transport_api2_address.c src/transport/transport_api2_communication.c src/transport/transport_api2_core.c @@ -436,11 +441,6 @@ src/transport/transport_api_manipulation.c src/transport/transport_api_monitor_peers.c src/transport/transport_api_monitor_plugins.c src/transport/transport_api_offer_hello.c -src/transport/transport-testing.c -src/transport/transport-testing-filenames.c -src/transport/transport-testing-loggers.c -src/transport/transport-testing-main.c -src/transport/transport-testing-send.c src/util/bandwidth.c src/util/benchmark.c src/util/bio.c @@ -453,8 +453,8 @@ src/util/configuration_loader.c src/util/container_bloomfilter.c src/util/container_heap.c src/util/container_meta_data.c -src/util/container_multihashmap32.c src/util/container_multihashmap.c +src/util/container_multihashmap32.c src/util/container_multipeermap.c src/util/container_multishortmap.c src/util/crypto_abe.c @@ -476,15 +476,15 @@ src/util/dnsparser.c src/util/dnsstub.c src/util/getopt.c src/util/getopt_helpers.c -src/util/gnunet-config.c src/util/gnunet-config-diff.c +src/util/gnunet-config.c src/util/gnunet-ecc.c src/util/gnunet-helper-w32-console.c src/util/gnunet-resolver.c src/util/gnunet-scrypt.c src/util/gnunet-service-resolver.c -src/util/gnunet-timeout.c src/util/gnunet-timeout-w32.c +src/util/gnunet-timeout.c src/util/gnunet-uri.c src/util/helper.c src/util/load.c @@ -513,13 +513,13 @@ src/util/tun.c src/util/w32cat.c src/util/win.c src/util/winproc.c -src/vpn/gnunet-helper-vpn.c src/vpn/gnunet-helper-vpn-windows.c +src/vpn/gnunet-helper-vpn.c src/vpn/gnunet-service-vpn.c src/vpn/gnunet-vpn.c src/vpn/vpn_api.c -src/zonemaster/gnunet-service-zonemaster.c src/zonemaster/gnunet-service-zonemaster-monitor.c +src/zonemaster/gnunet-service-zonemaster.c src/fs/fs_api.h src/include/compat.h src/include/gnunet_common.h -- 2.25.1