SSO Portal based on oauth2 id protocol
Before proceeding with Oauth2id installation, ensure you meet the following prerequisites:
- A server with Docker installed: Oauth2id is designed to be self-hosted with Docker.
- Rails master key, which is used to decrypt the credentials file. If you don't have one, ask for it from the project maintainer.
To set up Oauth2id using docker run
, execute the following one command to start Oauth2id:
-
Select a suitable directory as your application directory, and create a directory to store the Oauth2id database file:
mkdir -p /opt/oauth2id/storage
This step makes sure that storage directory is created and owned by the current user.
-
Run the following command to start Oauth2id:
cd /opt/oauth2id docker run -p 3000:3000 -d --restart always --name oauth2id --env RAILS_MASTER_KEY=YourMasterKey -v ./storage:/rails/storage ericguo/oauth2id:main
This command starts Oauth2id in the background, and exposes the Oauth2id web interface on port 3000. The
--env RAILS_MASTER_KEY=YourMasterKey
option is used to pass the Rails master key to the container. The-v ./storage:/rails/storage
option is used to mount the storage directory on the host to the container. This is necessary to persist the Oauth2id database file.
cp config/database.yml.sample config/database.yml
# or ask for master.key
rm config/credentials.yml.enc
export EDITOR=vim
# paste credentials.yml.sample or skip
bin/rails credentials:edit
bin/rails test:all
docker build --tag ericguo/oauth2id:main .
# or `docker pull ericguo/oauth2id:main` to using existing images
docker run -p 3000:3000 -d --restart always --name oauth2id --env RAILS_MASTER_KEY=YourMasterKey -v ./storage:/rails/storage ericguo/oauth2id:main
# If can not start in above, do the debug.
docker run --env RAILS_MASTER_KEY=YourMasterKey -v ./storage:/rails/storage -it ericguo/oauth2id:main bash
# After success, push manually.
docker push ericguo/oauth2id:main
Setup the puma-dev to support https in local.
brew install puma/puma/puma-dev
sudo puma-dev -setup
puma-dev -install
cd ~/.puma-dev
ln -s /Users/<username>/git/oauth2id oauth2id
Then visit the https://oauth2id.test
and accept the invalid https certificate, for higher version MacOS, need opening Keychain Access and moving the Puma-dev CA certificate into the System column under keychains then restarting the browser, it's a known issue
In order to make sure Faraday running in local also works well in https, we also need to add Puma-dev CA in OpenSSL library trust list as well, the OpenSSL CA is by default at /usr/local/etc/openssl/cert.pem
, since we already have valid MacOS Pumda-dev CA in system, we can use openssl-osx-ca to regenerate the cert.pem
file so just installs and regenerate cert.pem
file.
In order to make httpclient also works well in https, need copy generated cert.pem to httpclient folder. There is two pem
files in httpclient currently, but Puma-dev CA is 1024, so safe to overwrite.
# or /usr/local/etc/openssl@1.1/cert.pem depend on versions
cp /usr/local/etc/openssl/cert.pem /usr/local/lib/ruby/gems/3.0.0/gems/httpclient-2.8.3/lib/httpclient/cacert.pem
For Monterey running Apple Silicon on Ruby 3.2
cp /opt/homebrew/etc/openssl\@1.1/cert.pem /opt/homebrew/lib/ruby/gems/3.2.0/gems/httpclient-2.8.3/lib/httpclient/cacert.pem
cp /opt/homebrew/etc/openssl\@1.1/cert.pem /opt/homebrew/etc/ca-certificates/cert.pem
Oauth2id using vali-admin UI v2.4.1 which based on the Bootstrap 4 and support IE 11.
Please visit UI document via:
cd node_modules/vali-admin/docs/
thin -A file -c . -p 3001 start
open http://localhost:3001/index.html
Just following doorkeeper-openid_connect gem readme:
openssl genpkey -algorithm RSA -out oauth2id_oidc_private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in oauth2id_oidc_private_key.pem -out oauth2id_oidc_public_key.pem
Notice replace oauth2id with your new site name, notice you can get public key from /oauth/discovery/keys as well.
Also make sure the scope setting at least contain openid
as it's the spec requirement. (Oauth2 can leave scope blank.)
openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout oauth2id_saml_key.key -out oauth2id_saml_cert.crt
# Show SHA1 Fingerprint
openssl x509 -in oauth2id_saml_cert.crt -noout -sha256 -fingerprint
openssl genpkey -algorithm RSA -out oauth2id_jwt_private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in oauth2id_jwt_private_key.pem -out oauth2id_jwt_public_key.pem
bin/setup
Get db_converter.py from below:
https://github.com/bhmj/mysql-postgresql-converter
mysqldump --set-gtid-purged=OFF --no-tablespaces --compatible=postgresql --default-character-set=utf8 -r databasename.mysql -u thape_sso_prod thape_sso_prod -p
python ./mysql-postgresql-converter/db_converter.py databasename.mysql databasename.psql
zip -9 databasename.zip databasename.psql
Copy the databasename.psql and import via below.
psql -d postgres
DROP DATABASE thape_sso_dev;
CREATE DATABASE thape_sso_dev WITH ENCODING='UTF8' OWNER='guochunzhong';
\q
psql -d thape_sso_dev -f databasename.psql
May replace ' datetime(6) ' with ' timestamp(6) without time zone '.
Need running below to make production sign-in success.
u=User.find 4431 # it's me
u.confirm