On Thu, 04 Jun 2020 at 16:00:20, Frédéric Mangano-Tarumi wrote:
Developers can go to /sso/login to get redirected to the SSO. On successful login, the ID token is displayed. --- .gitlab-ci.yml | 3 ++- TESTING | 3 ++- aurweb/asgi.py | 13 +++++++++++++ aurweb/routers/__init__.py | 5 +++++ aurweb/routers/sso.py | 30 ++++++++++++++++++++++++++++++ aurweb/spawn.py | 3 +++ conf/config.defaults | 8 ++++++++ conf/config.dev | 9 +++++++++ 8 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 aurweb/routers/__init__.py create mode 100644 aurweb/routers/sso.py [...] diff --git a/conf/config.dev b/conf/config.dev index d752f61f..27e981f8 100644 --- a/conf/config.dev +++ b/conf/config.dev @@ -20,6 +20,12 @@ aur_location = http://127.0.0.1:8080 disable_http_login = 0 enable-maintenance = 0
+; Single sign-on +[sso] +openid_configuration = http://127.0.0.1:8083/auth/realms/aurweb/.well-known/openid-configuration +client_id = aurweb +client_secret = + [php] ; Address PHP should bind when spawned in development mode by aurweb.spawn. bind_address = 127.0.0.1:8081 @@ -30,3 +36,6 @@ htmldir = YOUR_AUR_ROOT/web/html [fastapi] ; Address uvicorn should bind when spawned in development mode by aurweb.spawn. bind_address = 127.0.0.1:8082 + +; Passphrase FastAPI uses to sign client-side sessions. +session_secret = \u6975\u79d8\u3001\u8a33\u3059\u306a\uff01\u3042\u3001\u9045\u904e\u304e\u305f\u3002
Nit: Since this is not really a secret, can we just use a plain text value (e.g. "secret") here? I know we had a similar discussion before, but I don't like the idea of having binary data in text configuration files since it might cause all sorts of issues with different tools (and even if that means the tools are bad, it's better to avoid it altogether).