Switch to external SSO

.env.sample

@@ -7,5 +7,18 @@ DOMAIN=lasuite-docs.example.com
 
 LETS_ENCRYPT_ENV=production
 
+# NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README
+OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/certs
+OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/auth
+OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/token
+OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/userinfo
+OIDC_RP_CLIENT_ID=impress
 # FIXME: Move to docker secret
 OIDC_RP_CLIENT_SECRET=example
+OIDC_RP_SIGN_ALGO=RS256
+OIDC_RP_SCOPES="openid email"
+LOGIN_REDIRECT_URL=https://${DOMAIN}
+LOGIN_REDIRECT_URL_FAILURE=https://${DOMAIN}
+LOGOUT_REDIRECT_URL=https://${DOMAIN}
+OIDC_REDIRECT_ALLOWED_HOSTS='["https://auth.${DOMAIN}", "https://${DOMAIN}"]'
+OIDC_AUTH_REQUEST_EXTRA_PARAMS="{'acr_values'='eidas1'}"

README.md

@@ -17,8 +17,13 @@
 
 ## Quick start
 
+* Deploy Single Sign On (see [Authentication](#authentication) below)
 * `abra app new lasuite-docs --secrets`
 * `abra app config <app-name>`
 * `abra app deploy <app-name>`
 
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
+
+## Authentication
+
+Docs **requires** an OpenID Connect (OIDC) single sign-on provider; we recommend [Authentik](https://git.coopcloud.tech/coop-cloud/authentik) or [Keycloak](https://git.coopcloud.tech/coop-cloud/keycloak), both of which are installable using Co-op Cloud.

TODO.md

@@ -4,7 +4,7 @@
 
 - [x] Fix image uploads
 - [ ] Update recipe metadata
-- [ ] External OIDC server (+ move options to `.env.sample`)
+- [x] External OIDC server (+ move options to `.env.sample`)
 - [ ] Customisable Django `DJANGO_SECRET_KEY` and `DJANGO_SUPERUSER_PASSWORD`
 - [ ] Versioned recipe release
 

compose.yml

@@ -31,20 +31,20 @@ x-common-env: &common-env
   AWS_S3_SECRET_ACCESS_KEY: password
   MEDIA_BASE_URL: https://${DOMAIN}
   AWS_STORAGE_BUCKET_NAME: docs-media-storage
-  # OIDC
+  # OIDC - settings from .env, see .env.sample
-  OIDC_OP_JWKS_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/certs
+  OIDC_OP_JWKS_ENDPOINT:
-  OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/auth
+  OIDC_OP_AUTHORIZATION_ENDPOINT:
-  OIDC_OP_TOKEN_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/token
+  OIDC_OP_TOKEN_ENDPOINT:
-  OIDC_OP_USER_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/userinfo
+  OIDC_OP_USER_ENDPOINT:
-  OIDC_RP_CLIENT_ID: impress
+  OIDC_RP_CLIENT_ID:
   OIDC_RP_CLIENT_SECRET:
-  OIDC_RP_SIGN_ALGO: RS256
+  OIDC_RP_SIGN_ALGO:
-  OIDC_RP_SCOPES: "openid email"
+  OIDC_RP_SCOPES:
-  LOGIN_REDIRECT_URL: https://${DOMAIN}
+  LOGIN_REDIRECT_URL:
-  LOGIN_REDIRECT_URL_FAILURE: https://${DOMAIN}
+  LOGIN_REDIRECT_URL_FAILURE:
-  LOGOUT_REDIRECT_URL: https://${DOMAIN}
+  LOGOUT_REDIRECT_URL:
-  OIDC_REDIRECT_ALLOWED_HOSTS: '["https://auth.${DOMAIN}", "https://${DOMAIN}"]'
+  OIDC_REDIRECT_ALLOWED_HOSTS:
-  OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
+  OIDC_AUTH_REQUEST_EXTRA_PARAMS:
   # AI
   AI_FEATURE_ENABLED: "false"
   AI_BASE_URL: https://openaiendpoint.com
@@ -81,31 +81,6 @@ x-minio-env: &minio-env
   # FIXME: Move to docker secret
   MINIO_ROOT_PASSWORD: password
 
-x-keycloak-env: &kc-keycloak-env
-  KC_BOOTSTRAP_ADMIN_USERNAME: admin
-  # FIXME: Move to docker secret
-  KC_BOOTSTRAP_ADMIN_PASSWORD: admin
-  KC_DB: postgres
-  KC_DB_URL_HOST: kc_postgresql
-  KC_DB_SCHEMA: public
-  PROXY_ADDRESS_FORWARDING: 'true'
-  KC_HOSTNAME: https://auth.${DOMAIN}
-  KC_HTTP_ENABLED: "true"
-  # KC_HTTPS_CERTIFICATE_FILE: /etc/ssl/certs/docs.crt
-  # KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/ssl/private/docs.key`
-
-x-kc-postgres-env: &kc-postgres-env
-  # Postgresql db container configuration
-  POSTGRES_DB: keycloak
-  POSTGRES_USER: keycloak
-  # FIXME: Move to docker secret
-  POSTGRES_PASSWORD: keycloak
-  # Keycloak database configuration
-  KC_DB_URL_DATABASE: keycloak
-  KC_DB_USERNAME: keycloak
-  # FIXME: Move to docker secret
-  KC_DB_PASSWORD: keycloak
-
 services:
   app:
     image: lasuite/impress-frontend:v3.3.0
@@ -223,42 +198,6 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
 
-  # FIXME: remove
-  kc_postgresql:
-    image: postgres:16
-    networks:
-      - backend
-    healthcheck:
-      test: ["CMD", "pg_isready", "-q", "-U", "keycloak", "-d", "keycloak"]
-      interval: 1s
-      timeout: 2s
-      retries: 300    
-    environment:
-      <<: *kc-postgres-env
-      PGDATA: var/lib/postgresql/data/pgdata
-    volumes:
-      - postgres_keycloak:/var/lib/postgresql/data/pgdata
-
-  keycloak:
-    image: quay.io/keycloak/keycloak:26.1.0
-    command: ["start"]
-    networks:
-      - proxy
-      - backend
-    environment:
-      <<: [*kc-keycloak-env, *kc-postgres-env]
-    # volumes:
-    #   - certs:/etc/ssl/certs:ro
-    deploy:
-      labels:
-        - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
-        - "traefik.http.routers.${STACK_NAME}-keycloak.tls=true"
-        - "traefik.http.services.${STACK_NAME}-keycloak.loadbalancer.server.port=8080"
-        - "traefik.http.routers.${STACK_NAME}-keycloak.rule=Host(`auth.${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}-keycloak.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}-keycloak.entrypoints=web-secure"
-
 networks:
   proxy:
     external: true
@@ -267,9 +206,6 @@ networks:
 volumes:
   postgres:
   minio:
-  # FIXME: remove this
-  postgres_keycloak:
-  # certs:
 
 configs:
   nginx_conf: