diff options
Diffstat (limited to 'doc/disfluid.texi')
-rw-r--r-- | doc/disfluid.texi | 314 |
1 files changed, 71 insertions, 243 deletions
diff --git a/doc/disfluid.texi b/doc/disfluid.texi index 7e47022..3e6c91c 100644 --- a/doc/disfluid.texi +++ b/doc/disfluid.texi @@ -74,8 +74,7 @@ A PDF version of this manual is available at * The HTTP Link header:: * Content negociation:: * Server endpoints:: -* Running an Identity Provider:: -* Running a Resource Server:: +* Resources stored on the server:: * Running a client:: * Serialization to (S)XML:: * Exceptional conditions:: @@ -127,31 +126,12 @@ web browser. @node Invoking disfluid @chapter Invoking disfluid -The @samp{disfluid} program provides different modes of operations: - -@table @samp -@item reverse-proxy -Run an authenticating reverse proxy. With this command, you specify a -backend server. When an authenticated user makes a request, you -receive an additional header containing the user’s identity. -@item identity-provider -Run the identity provider only. -@item client-service -The client applications must serve some resources: namely, the client -manifest and the redirect URI. -@item server -Run both an identity provider and a resource server. -@end table - -The server is configured with command-line arguments, and environment -variables. +The @samp{disfluid} program runs a server, if the user specifies a +configuration file, or the graphical browser otherwise. @menu * General options:: -* General server configuration:: -* Configuration for the resource server:: -* Configuration for the identity provider:: -* Configuration for the client service:: +* Running a server:: @end menu @node General options @@ -164,22 +144,23 @@ administrator. You can control it with the @samp{LANG} environment variable. So if your locale is not English, you can have the same commands as in this manual by running with @code{LANG=C}. -The programs respect the @samp{XDG_DATA_HOME} and -@samp{XDG_CACHE_HOME} to store persistent data and disposable -data. The cache directory can be deleted at any time. If one of these -variables is not set, its value is computed from the @samp{HOME} -environment variable. - -@node General server configuration -@section General server configuration -All servers are published under the Affero GPL, which means that the -service provider needs to publish all changes made to the program to -users over the network. The @samp{disfluid} command provides a +The programs respect the @samp{XDG_DATA_HOME} (if not overriden by the +server configuration) and @samp{XDG_CACHE_HOME} to store persistent +data and disposable data. The cache directory can be deleted at any +time. If one of these variables is not set, its value is computed from +the @samp{HOME} environment variable. + +@node Running a server +@section Running a server +The disfluid code is published under the Affero GPL, which means that +the service provider needs to publish all changes made to the program +to users over the network. The @samp{disfluid} command provides a @samp{--complete-corresponding-source} option so that the system administrator can specify a means to download the source. The servers will add a @samp{Source:} header in each response, -containing the value of this configuration option. +containing the value of this configuration option. It can be, for +instance, an URI where to download the modified source code. The servers can be configured to redirect output and errors to a log file and an error file, with the @samp{--log-file} and @@ -190,8 +171,55 @@ configured with @samp{--port}. Since the servers do not support TLS, and they only support HTTP/1.1, they are intended to run behind a reverse proxy (even for the authenticating reverse proxy). -Finally, the servers are required to know their public name. This is -configured with the @samp{--server-name} option. +Finally, you configure the server by passing the +@samp{--configuration} parameter pointing to a configuration file. The +configuration file is plain guile code, that must evaluate to an +@code{<endpoint>}. + +Here is an example configuration that runs a resource server with an +identity provider: + +@lisp +(use-modules (webid-oidc server endpoint) + (webid-oidc server endpoint resource-server) + (webid-oidc server endpoint identity-provider) + (webid-oidc server endpoint authentication) + (webid-oidc oidc-configuration) + (oop goops)) + +(make <identity-provider> + #:host "example.com" + #:oidc-discovery + (make <oidc-discovery> + #:path "/.well-known/openid-configuration" + #:configuration + (make <oidc-configuration> + #:jwks-uri "https://example.com/keys" + #:authorization-endpoint "https://example.com/authorize" + #:token-endpoint "https://example.com/token")) + #:authorization-endpoint + (make <authorization-endpoint> + #:path "/authorize" + #:subject "https://example.com/profile/card#me" + #:encrypted-password (crypt "secretpassword123" "$6$secret.salt") + #:key-file "/var/lib/disfluid/key-file.jwk") + #:token-endpoint + (make <token-endpoint> + #:path "/token" + #:issuer "https://example.com" + #:key-file "/var/lib/disfluid/key-file.jwk") + #:jwks-endpoint + (make <jwks-endpoint> + #:path "/keys" + #:key-file "/var/lib/disfluid/key-file.jwk") + #:default + (make <authenticator> + #:backend + (make <resource-server> + #:server-name "https://example.com" + #:owner "https://example.com/profile/card#me") + #:server-uri "https://example.com")) +@end lisp The server will make requests on the world-wide web, for instance to download client manifests. The requests can be redirected with XML @@ -199,64 +227,6 @@ Catalog, by setting the @samp{XML_CATALOG_FILES} to a space-separated list of URIs (can be @code{file:} URIs). The requests cannot be directed to the file system. -@node Configuration for the resource server -@section Configuration for the resource server -The reverse proxy sets an identity header to authenticated -requests. By default, it is @samp{XXX-Agent}, but it can be configured -with @samp{--header}. - -The reverse proxy is configured to contact a backend URI with -@samp{--backend-uri}. This backend URI should not be directly exposed, -because a malicious user could set the identity header. - -@node Configuration for the identity provider -@section Configuration for the identity provider -The identity provider can only handle one user. If you want to handle -multiple users, it is highly advised to use a different host name for -each user, in case the server is accessed from a web browser. You can -set the identity of the user with @samp{--subject}, and write the -user’s password in a file. Pass the file name with -@samp{--encrypted-password-file}. You can pass the encrypted password -directly with @samp{--encrypted-password}, but the encrypted password -will be public. - -The encrypted password format is defined by the crypt function in the -C library. For glibc, it looks like this: -@code{$@var{N}$@var{salt}$@var{hash}}, where @var{N} is the algorithm -identifier, @var{salt} is the password salt annd @var{hash} is its -hash. - -The server uses a key, which is not the same thing as the TLS -certificate of the server (remember, the servers don’t support -TLS). It is in the JWK format. You set its file name with -@samp{--key-file}. If the key file does not exist, it will be -generated. - -Finally, the public openid configuration requires you to set the JWKS -URI (@samp{--jwks-uri}), authorization endpoint URI -(@samp{--authorization-endpoint-uri}) and token endpoint URI -(@samp{--token-endpoint-uri}). The identity provider will publish the -full URIs, but will respond to their path, regardless of the host. - -@node Configuration for the client service -@section Configuration for the client service -The client will serve a stupid page for the redirect URI that will -only display the authorization code. The redirect URI is set with -@samp{--redirect-uri}. - -The client ID is set with @samp{--client-id}. This is the URI under -which the client registrationn is served. - -Finally, you can set some cosmetic options, but since it can confuse -the user, they are hidden by default by the identity provider. - -@table @samp -@item --client-name -set the name of the application. -@item --client-uri -set an URI where to find more information about the client. -@end table - @node Running disfluid with GNU Guix @chapter Running disfluid with GNU Guix @@ -266,30 +236,17 @@ with guix. It defines the package at the latest commit, and a service definition in @emph{(vkraus services disfluid)}. @defvr {service type} disfluid-service-type -This service runs a bunch of disfluid servers with the @emph{disfluid} -system user, each with a unique name. The value it takes is an alist -of service configurations: the keys are unique names (to differenciate -the generated shepherd services), and the values are configuration -records for an issuer, reverse proxy, server, or client service. +This service runs a disfluid server with the @emph{disfluid} system +user. The value it takes is a service configuration. @end defvr -@deftp {configuration record} <disfluid-issuer-configuration> [@var{disfluid}] @var{complete-corresponding-source} @var{issuer} @var{key-file} @var{subject} @var{encrypted-password-file} @var{jwks-uri} @var{authorization-endpoint-uri} @var{token-endpoint-uri} @var{port} [@var{extra-options}] +@deftp {configuration record} <disfluid-configuration> [@var{disfluid}] @var{complete-corresponding-source} @var{port} @var{configuration-file} [@var{extra-options}] The configuration for the identity provider. The optional @var{disfluid} argument is the package containing the binary to run, if you want to apply some patches, and @var{extra-options} is an empty list by default. -@end deftp - -@deftp {configuration record} <disfluid-reverse-proxy-configuration> [@var{disfluid}] @var{complete-corresponding-source} @var{port} @var{inbound-uri} @var{outbound-uri} @var{header} [@var{extra-options}] -This record configures an authenticating reverse proxy. -@end deftp -@deftp {configuration record} <disfluid-client-service-configuration> [@var{disfluid}] @var{complete-corresponding-source} @var{client-id} @var{redirect-uri} [@var{client-name}] [@var{client-uri}] @var{port} [@var{extra-options}] -This record configures a server to serve public application pages. -@end deftp - -@deftp {configuration record} <disfluid-server-configuration> [@var{disfluid}] @var{complete-corresponding-source} @var{server-name} @var{key-file} @var{subject} @var{encrypted-password-file} @var{jwks-uri} @var{authorization-endpoint-uri} @var{token-endpoint-uri} @var{port} [@var{extra-options}] -The configuration for the full server. +@var{configuration-file} is a file-like object or a file name. @end deftp @node Common parameters @@ -1881,137 +1838,8 @@ Return the directory where @var{resource-server} stores persistent data. @end deffn -@node Running an Identity Provider -@chapter Running an Identity Provider - -This project is packaged with a barebones identity provider. It has an -authorization endpoint and a token endpoint (and it serves its public -keys), but it is only intended for one specific person. - -You can start it by invoking the @code{webid-oidc} program with the -@code{issuer} command, with the following options: - -@table @asis -@item @code{-h}, or @code{--help} -prints a summary of options and exit. -@item @code{-v}, or @code{--version} -prints the version of the program and exits. -@item @code{-n @var{URI}}, or @code{--server-name=@var{URI}} -sets the global server name of the identity provider. It should have -an empty path. -@item @code{-k @var{FILE.jwk}}, or @code{--key-file=@var{FILE.jwk}} -sets the file name where to read or generate a key for the identity -provider. This file should be JSON, containing the representation of a -JWK key pair. -@item @code{-s @var{WEBID}}, or @code{--subject=@var{WEBID}} -sets the webid of the only user of the identity provider. This is an -URI, pointing to a RDF node corresponding to the user’s profile. -@item @code{-w @var{PASSWORD}}, or @code{--password=@var{PASSWORD}} -sets the password that the user must enter to authorize an -application. -@item @code{-j @var{URI}}, or @code{--jwks-uri=@var{URI}} -tells the server that requests to @var{URI} should be responded with -the public key used to sign the tokens. -@item @code{-a @var{URI}}, or @code{--authorization-endpoint-uri=@var{URI}} -tells the server that requests to @var{URI} should be treated as -authorization requests. -@item @code{-t @var{URI}}, or @code{--token-endpoint-uri=@var{URI}} -tells the server that requests to @var{URI} should be treated as token -negociation requests. -@item @code{-p @var{PORT}}, or @code{--port=@var{PORT}} -change the port number used by the server. By default, it is set to -8080. -@item @code{-l @var{FILE.log}}, or @code{--log-file=@var{FILE.log}} -let the server dump all its output to @var{FILE.log}. Since I don’t -know how to deal with syslog, this is the only way to keep logs with a -shepherd service. -@item @code{-e @var{FILE.err}}, or @code{--error-file=@var{FILE.err}} -let the server dump all its errors to @var{FILE.err}. -@end table - -The program is sensitive to the environment variables. The most -important one is @emph{LANG}, which influences how the program is -internationalized to the server administrator (the pages served to the -user use the user agent’s locale). This changes the long form of the -options, and the language in the log files. - -The @emph{XDG_DATA_HOME} should point to some place where the program -will store refresh tokens, under the @code{webid-oidc} directory. For -a system service, you might want to define that environment to -@code{/var/lib}, for instance. - -The @emph{XDG_CACHE_HOME} should point to a directory where to store -the seed of the random number generator (under a @code{webid-oidc} -directory, again). Changing the seed only happens when a program -starts to require the random number generator. You can safely delete -this directory, but you need to restart the program to actually change -the seed. - -@node Running a Resource Server -@chapter Running a Resource Server - -@menu -* The authenticator:: -* The full server:: -* Resources stored on the server:: -@end menu - -A Solid server is the server that manages your data. It needs to check -that the proofs of possession are correct, and the possessed key is -signed by the identity provider. - -@node The authenticator -@section The authenticator - -In @emph{(webid-oidc resource-server)}, the following function gives a -simple API for a web server: - -@deffn function make-authenticator @var{jti-list} @var{[#server-uri]} @var{[#current-time]} @var{[#http-get]} -Create an authenticator, i.e. a function that takes a request and -request body and returns the webid of the authenticated user, or -@code{#f} if it is not authenticated. - -To prevent replay attacks, each request is signed by the client with a -different unique padding value. If such a value has already been seen, -then the request must fail. - -The authenticator expects the client to demonstrate the possession of -a key that the identity provider knows. So the client creates a DPoP -proof, targetted to a specific URI. In order to check that the URI is -correct, the authenticator needs the public URI of the service. - -The JTIs are checked within a small time frame. By default, the system -time will be used. Otherwise, you can customize the -@code{current-time} optional keyword argument, to pass a thunk -returning a time from @emph{(srfi srfi-19)}. - -You may want to customize the @var{http-get} optional keyword argument -to pass a function to replace @code{http-get} from @emph{(http -client)}. This function takes an URI and optional @code{#:headers} -arguments, makes the request, and return two values: the response, and -the response body. - -This function, in @emph{(webid-oidc resource-server)}, returns a web -request handler, taking the request and request body, and returning -the subject of the access token. If an error happens, it is thrown; -the function always returns a valid URI. -@end deffn - -@node The full server -@section The full server - -@deffn {function from @emph{(webid-oidc resource-server)}} make-server @var{[#:server-uri]} @var{[#:owner]} @var{[#:authenticator]} @var{[#:current-time]} @var{[#:http-get]} -Return a server handler, a function taking 2 values, a request and a -request body, and returning 2 values, the response and response body. - -The optional @var{[#:authenticator]} argument defaults to the -webid-oidc authenticator, @var{[#:current-time]} defaults to a thunk -returning the system time and @var{[#:http-get]} to the web client -from @emph{(web client)}. -@end deffn - @node Resources stored on the server -@section Resources stored on the server +@chapter Resources stored on the server To store and serve resources, the server has two distinct mechanisms. A @dfn{content} is a read-only possible value for a |