Merge pull request #222 from canonical/IAM-745-support-local-idp

feat: support local identity provider
canonical · Aug 13, 2024 · f513e35 · f513e35
2 parents f8e5ba4 + 85474d8
commit f513e35
Show file tree

Hide file tree

Showing 7 changed files with 530 additions and 16 deletions.
diff --git a/charmcraft.yaml b/charmcraft.yaml
@@ -103,6 +103,15 @@ config:
         Run Kratos on dev mode, it is needed if HTTPS is not set up. This should only be used for development purposes.
       type: boolean
       default: False
+    enable_local_idp:
+      description: Enable Kratos Identity Provider
+      type: boolean
+      default: True
+    enable_passwordless_login_method:
+      description: |
+        Enable passwordless authentication via webauthn. Requires `enable_local_idp=True`.
+      type: boolean
+      default: False
     identity_schemas:
       description: |
         A mapping of schema_id to identity schemas. For example:

diff --git a/identity_schemas/admin_v0.json b/identity_schemas/admin_v0.json
@@ -24,10 +24,24 @@
           "title": "E-Mail",
           "minLength": 3,
           "ory.sh/kratos": {
-            "verification": {
-              "via": "email"
+              "credentials": {
+                "password": {
+                  "identifier": true
+                },
+                "totp": {
+                   "account_name": true
+                },
+                "webauthn": {
+                  "identifier": true
+                }
+              },
+              "verification": {
+                "via": "email"
+              },
+              "recovery": {
+                "via": "email"
+              }
             }
-          }
         },
         "name": {
           "type": "string",

diff --git a/identity_schemas/social_user_v0.json b/identity_schemas/social_user_v0.json
@@ -50,7 +50,27 @@
         "email": {
           "type": "string",
           "format": "email",
-          "title": "E-Mail"
+          "title": "E-Mail",
+          "minLength": 3,
+            "ory.sh/kratos": {
+              "credentials": {
+                "password": {
+                  "identifier": true
+                },
+                "totp": {
+                   "account_name": true
+                },
+                "webauthn": {
+                  "identifier": true
+                }
+              },
+              "verification": {
+                "via": "email"
+              },
+              "recovery": {
+                "via": "email"
+              }
+            }
         },
         "gender": {
           "type": "string",

diff --git a/lib/charms/identity_platform_login_ui_operator/v0/login_ui_endpoints.py b/lib/charms/identity_platform_login_ui_operator/v0/login_ui_endpoints.py
@@ -52,7 +52,7 @@ def some_event_function():
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 3
+LIBPATCH = 6
 
 RELATION_NAME = "ui-endpoint-info"
 INTERFACE_NAME = "login_ui_endpoints"
@@ -63,6 +63,10 @@ def some_event_function():
     "error_url",
     "login_url",
     "oidc_error_url",
+    "device_verification_url",
+    "post_device_done_url",
+    "recovery_url",
+    "settings_url",
 ]
 
 
@@ -110,6 +114,10 @@ def send_endpoints_relation_data(self, endpoint: str) -> None:
                 "error_url": f"{endpoint}/ui/error",
                 "login_url": f"{endpoint}/ui/login",
                 "oidc_error_url": f"{endpoint}/ui/oidc_error",
+                "device_verification_url": f"{endpoint}/ui/device_code",
+                "post_device_done_url": f"{endpoint}/ui/device_complete",
+                "recovery_url": f"{endpoint}/ui/reset_email",
+                "settings_url": f"{endpoint}/ui/reset_password",
             }
         for relation in relations:
             relation.data[self._charm.app].update(endpoint_databag)

diff --git a/src/charm.py b/src/charm.py
@@ -516,15 +516,17 @@ def _render_conf_file(self) -> str:
         login_ui_url = self._get_login_ui_endpoint_info("login_url")
         mappers = self._get_claims_mappers()
         cookie_secrets = self._get_secret()
+        parsed_public_url = urlparse(self._public_url)
 
         allowed_return_urls = []
+        origin = ""
         if self._public_url:
             allowed_return_urls = [
-                urlparse(self._public_url)
-                ._replace(path="", params="", query="", fragment="")
+                parsed_public_url._replace(path="", params="", query="", fragment="")
                 .geturl()
                 + "/"
             ]
+            origin = f"{parsed_public_url.scheme}://{parsed_public_url.hostname}"
 
         rendered = template.render(
             cookie_secrets=[cookie_secrets] if cookie_secrets else None,
@@ -536,10 +538,16 @@ def _render_conf_file(self) -> str:
             default_identity_schema_id=default_schema_id,
             login_ui_url=login_ui_url,
             error_ui_url=self._get_login_ui_endpoint_info("error_url"),
+            settings_ui_url=self._get_login_ui_endpoint_info("settings_url"),
+            recovery_ui_url=self._get_login_ui_endpoint_info("recovery_url"),
             oidc_providers=oidc_providers,
             available_mappers=self._get_available_mappers,
             oauth2_provider_url=self._get_hydra_endpoint_info(),
             smtp_connection_uri=self.config.get("smtp_connection_uri"),
+            enable_local_idp=self.config.get("enable_local_idp"),
+            enable_passwordless_login_method=self.config.get("enable_passwordless_login_method"),
+            origin=origin,
+            domain=parsed_public_url.hostname,
         )
         return rendered
 

diff --git a/templates/kratos.yaml.j2 b/templates/kratos.yaml.j2
@@ -27,6 +27,21 @@ selfservice:
         login:
             ui_url: {{ login_ui_url }}
         {%- endif %}
+        {%- if settings_ui_url %}
+        settings:
+            ui_url: {{ settings_ui_url }}
+            required_aal: highest_available
+        {%- endif %}
+        {%- if recovery_ui_url %}
+        recovery:
+            enabled: True
+            ui_url: {{ recovery_ui_url }}
+            use: code
+            after:
+                default_browser_return_url: {{ default_browser_return_url }}
+                hooks:
+                    - hook: revoke_active_sessions
+        {%- endif %}
         {%- if oidc_providers %}
         registration:
             after:
@@ -35,10 +50,38 @@ selfservice:
                     - hook: session
         {%- endif %}
     {%- endif %}
-    {%- if oidc_providers %}
+    {%- if oidc_providers or recovery_ui_url or enable_local_idp and login_ui_url %}
     methods:
+        {%- if recovery_ui_url %}
+        code:
+            enabled: True
+        {%- endif %}
+        {%- if not enable_local_idp or not login_ui_url %}
+        password:
+            enabled: False
+        {%- endif %}
+        {%- if enable_local_idp and login_ui_url %}
         password:
-            enabled: false
+            enabled: True
+            config:
+                haveibeenpwned_enabled: False
+        totp:
+            enabled: True
+            config:
+                issuer: Identity Platform
+        {%- if enable_passwordless_login_method %}
+        webauthn:
+            enabled: True
+            config:
+                passwordless: True
+                rp:
+                    id: {{ domain }}
+                    origins:
+                        - {{ origin }}
+                    display_name: Identity Platform
+        {%- endif %}
+        {%- endif %}
+        {%- if oidc_providers %}
         oidc:
             config:
                 providers:
@@ -52,6 +95,7 @@ selfservice:
                       {%- endif %}
                 {%- endfor %}
             enabled: True
+        {%- endif %}
     {%- endif %}
 {%- if cookie_secrets %}
 secrets: