generated from coulomb/repo-seed
bootstrapping guidance ui and missing stuff
This commit is contained in:
@@ -12,6 +12,12 @@ the full authentication flow:
|
||||
KeyCape is stateless — all state lives in Authelia (sessions), LLDAP (users), and
|
||||
privacyIDEA (MFA tokens). No PVC is required.
|
||||
|
||||
The Authelia `baseURL` in `create-secrets.sh` must be the browser-facing
|
||||
`https://auth.coulomb.social` URL. KeyCape uses it to build the redirect sent
|
||||
to the user's browser during `/authorize`; a cluster-internal service URL or
|
||||
relative Authelia path will make the public OIDC login flow land on a 404 even
|
||||
when discovery and health checks are working.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- T04 complete (privacyIDEA is Running and bootstrapped — admin account + enckey done)
|
||||
@@ -114,6 +120,25 @@ clients:
|
||||
clientType: "public"
|
||||
```
|
||||
|
||||
For the local NetKingdom bootstrap console login check, keep the dedicated
|
||||
bootstrap client registered with exact local callback URIs:
|
||||
|
||||
```yaml
|
||||
clients:
|
||||
- clientId: "netkingdom-bootstrap-console"
|
||||
displayName: "NetKingdom Bootstrap Console"
|
||||
redirectUris:
|
||||
- "http://127.0.0.1:8876/oidc/callback"
|
||||
- "http://localhost:8876/oidc/callback"
|
||||
allowedScopes: ["openid", "profile", "email", "groups"]
|
||||
grantTypes: ["authorization_code"]
|
||||
clientType: "public"
|
||||
```
|
||||
|
||||
The local callback page exchanges the authorization code and displays only
|
||||
non-secret claims. KeyCape presents a browser OTP challenge between Authelia
|
||||
password login and the final OIDC redirect whenever privacyIDEA requires MFA.
|
||||
|
||||
## Secrets managed
|
||||
|
||||
| Secret name | Keys | Purpose |
|
||||
@@ -142,4 +167,9 @@ curl -s https://kc.coulomb.social/.well-known/openid-configuration | jq .
|
||||
# Check issuer matches CP-NK-004
|
||||
curl -s https://kc.coulomb.social/.well-known/openid-configuration \
|
||||
| jq -r .issuer # should be: https://kc.coulomb.social
|
||||
|
||||
# Browser login redirect should start at KeyCape and then leave the kc host for
|
||||
# Authelia. If it redirects to /api/oidc/authorization on kc.coulomb.social,
|
||||
# regenerate keycape-config and restart KeyCape after confirming the Authelia
|
||||
# browserBaseURL above.
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user