Support SSO

See https://github.com/WASHNote/washnote-apps/issues/10.
2021-06-28 13:42:02 +02:00 · 2021-06-28 13:42:02 +02:00 · c13aa2c715
commit c13aa2c715
parent 14cc4e6ac5
6 changed files with 44 additions and 1 deletions
--- a/.env.sample
+++ b/.env.sample
@ -7,3 +7,10 @@ SECRET_ADMIN_PASSWORD_VERSION=v1

 # MSSQL driver
 COMPOSE_FILE="compose.yml:compose.mssql.yml"
+
+# OpenID Connect (SSO)
+# COMPOSE_FILE="compose.yml:compose.oidc.yml"
+# OIDC_ENABLED=1
+# OIDC_CLIENT_ID=
+# OIDC_ISSUER_URL=
+# SECRET_OIDC_CLIENT_SECRET=v1
--- a/abra.sh
+++ b/abra.sh
@ -1 +1,2 @@
 export CUSTOM_ENTRYPOINT_VERSION=v1
+export OIDC_CONF_VERSION=v1
--- a/compose.oidc.yml
+++ b/compose.oidc.yml
@ -0,0 +1,26 @@
+---
+version: "3.8"
+
+services:
+  app:
+    configs:
+      - source: oidc_conf
+        target: /etc/rstudio/openid-client-secret
+        mode: 0600
+    environment:
+      - OIDC_CLIENT_ID
+      - OIDC_ENABLED
+      - OIDC_ISSUER_URL
+    secrets:
+      - oidc_client_secret
+
+configs:
+  oidc_conf:
+    name: ${STACK_NAME}_oidc_conf_${OIDC_CONF_VERSION}
+    file: oidc.conf.tmpl
+    template_driver: golang
+
+secrets:
+  oidc_client_secret:
+    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET}
+    external: true
--- a/compose.yml
+++ b/compose.yml
@ -12,8 +12,9 @@ services:
    secrets:
      - admin_password
    environment:
-      - ROOT=TRUE
+      - DOMAIN=${DOMAIN}
      - PASSWORD_FILE=/run/secrets/admin_password
+      - ROOT=TRUE
    configs:
      - source: custom_entrypoint
        target: /docker-entrypoint.sh
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -26,4 +26,10 @@ file_env() {

 file_env "PASSWORD"

+{{ if eq (env "OIDC_ENABLED") "1" }}
+echo "auth-openid=1" >> /etc/rstudio/rserver.conf
+echo "auth-openid-issuer=${OIDC_ISSUER_URL}" >> /etc/rstudio/rserver.conf
+echo "auth-openid-base-uri=https://${DOMAIN}" >> /etc/rstudio/rserver.conf
+{{ end }}
+
 exec "$@"
--- a/oidc.conf.tmpl
+++ b/oidc.conf.tmpl
@ -0,0 +1,2 @@
+client-id={{ env "OIDC_CLIENT_ID" }}
+client-secret={{ secret "oidc_client_secret" }}