[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnunet] branch master updated: update docs for reclaim
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnunet] branch master updated: update docs for reclaim |
Date: |
Sat, 08 Sep 2018 09:11:47 +0200 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository gnunet.
The following commit(s) were added to refs/heads/master by this push:
new 965845e9c update docs for reclaim
965845e9c is described below
commit 965845e9c3612f40c4761d843f807f613fd635e9
Author: Schanzenbach, Martin <address@hidden>
AuthorDate: Sat Sep 8 09:11:44 2018 +0200
update docs for reclaim
---
doc/documentation/chapters/user.texi | 119 ++++++++++++++++++++++++++++++++++-
1 file changed, 117 insertions(+), 2 deletions(-)
diff --git a/doc/documentation/chapters/user.texi
b/doc/documentation/chapters/user.texi
index 50b795197..9a5c41d34 100644
--- a/doc/documentation/chapters/user.texi
+++ b/doc/documentation/chapters/user.texi
@@ -1972,7 +1972,7 @@ $ gnunet-reclaim -e "friend" -T (TODO there is only a
REST API for this ATM)
If you want to revoke the access of a third party to your attributes you can
execute:
@example
-$ gnunet-idp -e "username" -R "ticket"
+$ gnunet-reclaim -e "username" -R "ticket"
@end example
This will prevent the third party from accessing the attribute in the future.
@@ -1983,7 +1983,122 @@ This behaviour is _exactly the same_ as with other IdPs.
@node Using the OpenID-Connect IdP
@subsection Using the OpenID-Connect IdP
-TODO: Document setup and REST endpoints
address@hidden Preliminaries
address@hidden Preliminaries
+
address@hidden
+$ gnunet-identity -C id
+$ openssl genrsa -des3 -passout pass:xxxx -out server.pass.key 2048
+$ openssl rsa -passin pass:xxxx -in server.pass.key -out
/etc/reclaim/reclaim.id.key
+$ rm server.pass.key
+$ openssl req -new -key /etc/reclaim/reclaim.id.key -out server.csr \
+ -subj "/CN=reclaim.id.local"
+$ openssl x509 -req -days 365 -in server.csr -signkey
/etc/reclaim/reclaim.id.key -out /etc/reclaim/reclaim.id.crt
+$ openssl x509 -in /etc/reclaim/reclaim.id.crt -out
/etc/reclaim/reclaim.id.der -outform DER
+$ HEXCERT=`xxd -p /etc/reclaim/reclaim.id.der | tr -d '\n'`
+$ BOXVALUE="6 443 52 3 0 0 $HEXCERT"
+$ gnunet-namestore -z id -a -n reclaim -t A -V "127.0.0.1" -e 1d -p
+$ gnunet-namestore -z id -a -n reclaim -t LEHO -V "reclaim.id.local" -e 1d -p
+$ gnunet-namestore -z id -a -n reclaim -t BOX -V "$BOXVALUE" -e 1d -p
address@hidden example
+
+NGINX setup:
address@hidden
+server {
+ listen 443;
+ server_name reclaim.id.local;
+ ssl on;
+ ssl_certificate /etc/reclaim/reclaim.id.crt;
+ ssl_certificate_key /etc/reclaim/reclaim.id.key;
+ ssl_session_timeout 30m;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_session_cache shared:SSL:10m;
+
+ location /api {
+ rewrite /api/(.*) /$1 break;
+ proxy_pass http://127.0.0.1:7776;
+ }
+}
address@hidden example
+
+This will expose the REST API of GNUnet at https://reclaim.id/api.
+
address@hidden For Users
address@hidden For Users
+
+To use the OpenID Connect Identity Provider as an end user, you must first
intall the User Interface from TODOINSERTURLHERE.
+
+Start the user interface using:
+
address@hidden
+$ yarn run build --prod
address@hidden example
+
+Now setup a webserver to serve the compiled website under "dist/".
+
+Now we can add the user interfce to our NGINX configuraiton:
+
address@hidden
+server {
+...
+ location / {
+ proxy_pass http://<whereever you serve the UI>;
+ }
+}
address@hidden example
+
+You can thest your setup by accessing https://reclaim.id in your browser
through the GNS proxy.
+
address@hidden For Service Providers
address@hidden For Service Providers
+
+To setup an OpenID Connect client, it must first be registered.
+In reclaim, client registration is done by creating a client identity and
adding the redirect URI and client description into its namespace:
+
address@hidden
+$ gnunet-identity -C <rp_name>
+$ gnunet-namestore -z <rp_name> -a -n "+" -t RECLAIM_OIDC_REDIRECT -V
<redirect_uri> -e 1d -p
+$ gnunet-namestore -z <rp_name> -a -n "+" -t RECLAIM_OIDC_CLIENT -V "My OIDC
Client" -e 1d -p
address@hidden example
+
+You can now use the OpenID Connect REST endpoints exposed by reclaim.
+
+To request authorization from a user, your webapplication should initiate the
OpenID Connect Authorization Flow like this:
address@hidden
+$
https://reclaim.id/openid/authorize?redirect_uri=<redirect_uri>&client_id=<RP_PKEY>&response_type=code&nonce=1234&scope=attribute1
attribute2 ...
address@hidden example
+
+You should choose a random number for the nonce parameter. The RP_KEY is the
public key corresponding to the <rp_name> identity.
+
+The redirect URI is the URI that you expect the user to return to within the
OpenID Connect authorization code flow.
+
+When the user returns to your redirect URI, you can exchange it for an access
token at the OpenID Token endpoint.
+The authentication at the token endpoint is performed using the configured
password (PSW) in the reclaim configuration (reclaim.conf). To set it execute:
+
address@hidden
+$ gnunet-config -s reclaim-rest-plugin -o PSW -V <secret>
address@hidden example
+
+To retrieve the access token, you can access the token endpoint through the
proxy like this:
+
address@hidden
+$ curl --socks5-hostname 127.0.0.1:7777 \
+ -X POST \
+
https://reclaim.id/openid/token?grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<code>
\
+ -u <RP_KEY>:<secret>
address@hidden example
+
+If successful, this will return a JSON object containing an ID Token and
Access Token.
+The Access Token can be used to access the OpenID Connect userinfo endpoint:
+
address@hidden
+$ curl --socks5-hostname 127.0.0.1:7777 \
+ -X POST \
+ https://reclaim.id/openid/userinfo\
+ -H 'Authorization: Bearer <access_token>'
address@hidden example
+
+
@node Using the Virtual Public Network
@section Using the Virtual Public Network
--
To stop receiving notification emails like this one, please contact
address@hidden
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] [gnunet] branch master updated: update docs for reclaim,
gnunet <=