Skip to content

Parkour-Vienna/distrust

Repository files navigation

distrust


Use discourse as an OIDC (OAuth 2.0) provider.

Installation

To run distrust, copy the distrust.example.yml file to distrust.yml and customize it to your liking. Afterwards, run the binary or container image.

./distrust

You can also use a container engine like podman or docker to run distrust

podman run -d \
  --name distrust \
  -v $PWD/distrust.yml:/distrust.yml:Z \
  -p 3000:3000 \
  ghcr.io/parkour-vienna/distrust:$VERSION

Configuration

Configuring Discourse

To start using discourse as an OIDC provider, you need to configure your discourse instance. The following site settings need to be set:

  • enable discourse connect provider
  • discourse connect provider secrets - Here you need to add the domain of the distrust server and choose a secure secret

This configuration must then be entered in the distrust.yml file

discourse:
  server: https://your-discourse-installation.org
  secret: <your-chosen-secret>

Configuring the OIDC provider

The OIDC provider is based on ory/fosite and needs two configuration values to work. The first one is a 32-byte secret. It must be exactly 32 bytes long. The other parameter is the private key used for signing the tokens.

If you need a fresh RSA private key, you can run distrust genkey to generate one.

Both values can be left empty, however this will invalidate all tokens on a server restart

oidc:
  secret: 'some-exactly-32-byte-long-secret'
  privateKey: |
    -----BEGIN RSA PRIVATE KEY-----
    ....
    -----END RSA PRIVATE KEY-----

Configuring Clients

The last step is the configuration of clients. Here you need to specify a name, a client secret as well as the allowed redirect URIs.

As of this point, the redirect URIs do not support wildcards

The following example configures a client called test with the secret foobar which is authorized to redirect to the OpenID Connect test page

clients:
  test:
    secret: foobar
    redirectURIs:
      - 'https://openidconnect.net/callback'

If you do not want to provide a plaintext secret, you can also provide the secret as an already hashed bcrypt2 value

Group ACLs

In case you want your client to be only available for members of a certain group, you can populate the allowGroups or denyGroups fields in the client config. This will either allow or deny access on a client basis.

Usage by Clients

Distrust is based on ory/fosite, so you can refer to that project's documentation for how to interact with the OpenID Connect provider.

The two endpoints the client will interact with are:

  • The authorization endpoint
    • https://example.com/oauth2/auth
  • The token endpoint
    • https://example.com/oauth2/token