Compare commits
6 commits
0562194d93
...
5146a6f9be
| Author | SHA1 | Date | |
|---|---|---|---|
|
5146a6f9be | ||
|
|
1da4f6b032 | ||
|
|
837486a0fa | ||
|
|
e19d08d3cc | ||
|
|
8fd01ba3f5 | ||
|
|
b65ff7aca9 |
|
|
@ -10,7 +10,7 @@ MUSICIAN_SECRET_KEY='changeme_v9&&N$Lt9t*5EGwm0w'
|
|||
# specially useful if you want to deploy in a specific domain
|
||||
MUSICIAN_API_BASE_URL='https://orchestra.example.org'
|
||||
MUSICIAN_ALLOWED_HOSTS='musician.example.org'
|
||||
DOMAIN='musician.example.org'
|
||||
MUSICIAN_DOMAIN='musician.example.org'
|
||||
|
||||
# DEVICEHUB
|
||||
####
|
||||
|
|
@ -89,6 +89,10 @@ IDHUB_USER='admin'
|
|||
IDHUB_PASSWD='admin'
|
||||
IDHUB_EMAIL='admin@example.org'
|
||||
|
||||
# this option needs to be set to 'n' to be able to make work idhub in docker
|
||||
# by default it is set to 'y' to facilitate idhub dev when outside docker
|
||||
IDHUB_SYNC_ORG_DEV='n'
|
||||
|
||||
# AUTHENTIK aka goauthentik
|
||||
####
|
||||
|
||||
|
|
|
|||
14
README.md
14
README.md
|
|
@ -9,22 +9,22 @@
|
|||
Actors-> **XO9B**: IdHub (acting as a user wallet for families holding credentials issued by a social support organisation), **Connectivity provider entity**: Demo portal (acting as Verifier Portal). The verifier portal incorporates verification capabalities and support to establish an OIDC4VP dialog with the user wallet for credential presentation (accreditation).
|
||||
- **Setem**:
|
||||
- Motivation: Since SETEM is a federation, members of one of the federated entities (Setem BCN) can accredit their membership to other federation members (Setem Madrid) presenting a verifiable credential to obtain a discount.
|
||||
|
||||
|
||||
Actors-> **Setem BCN**: IdHub (acting as a user wallet for their members holding credentials issued by Setem BCN), **Setem Madrid**: Demo portal (acting as Verifier Portal). The verifier portal incorporates verification capabilities and support to establish an OIDC4VP dialog with the user wallet for credential presentation (accreditation).
|
||||
- **Lafede**:
|
||||
- Motivation: Implementation of dual EIDAS1 and EIDAS2 compliant attestations as signed PDFS with public verifiable credentials exported as QR codes embedded in these documents. Member organisations and related persons of the Lafede federation request membership and training certificates.
|
||||
|
||||
Actors-> **Lafede**: idHub
|
||||
|
||||
|
||||
- **Pangea**:
|
||||
- Motivation: The case of Pangea as a web/internet service provider, with member organisations that receive services. These organisations have allocated several resources units (mail accounts, blogs, etc.). Only authorised users with a specific role should be able to access the Musician (Administration Control Panel of resources).
|
||||
- Motivation: The case of Pangea as a web/internet service provider, with member organisations that receive services. These organisations have allocated several resources units (mail accounts, blogs, etc.). Only authorised users with a specific role should be able to access the Musician (Administration Control Panel of resources).
|
||||
- Scenarios:
|
||||
- Scenario 1-> 'Login with Organisation A (Idp)'. The staff members of organisation A, with the appropiate role, can authenticate themselves by providing their organisation credentials (username and password) to access a service in Pangea (Musician).
|
||||
|
||||
- Scenario 1-> 'Login with Organisation A (Idp)'. The staff members of organisation A, with the appropiate role, can authenticate themselves by providing their organisation credentials (username and password) to access a service in Pangea (Musician).
|
||||
|
||||
Actors-> **Pangea**: IdP (goauthentik), Musician, Orchestra. **Organisation A**: IdP, IdHub
|
||||
|
||||
|
||||
Pangea delegates authentication to the IdP of organisation B using OpenID Connect. In this case, the Pangea's IdP (goauthentik) delegates the authentication to Organisation A's IdP, which get the user's role information from the Organisation A's IdHub.
|
||||
|
||||
|
||||
- Scenario 2-> 'Present a verifiable credential'. The staff members of organisation A, with the appropiate credentials, present them to Pangea in order to access the Musician service.
|
||||
|
||||
Actors-> **Pangea**: IdP (goauthentik), IdHub (as verifier), Musician, Orchestra (with also nginx API rproxy). **Organisation A**: IdHub (as user wallet)
|
||||
|
|
|
|||
|
|
@ -6,8 +6,10 @@ set -u
|
|||
set -x
|
||||
|
||||
main() {
|
||||
action="${action:-deploy}"
|
||||
export deployment='prod'
|
||||
./pull-repos.sh
|
||||
|
||||
export action="${action:-deploy}"
|
||||
export deployment="${deployment:-prod}"
|
||||
./build__pilot-xo9b.sh
|
||||
./build__pilot-setem.sh
|
||||
./build__pilot-lafede.sh
|
||||
|
|
|
|||
|
|
@ -36,12 +36,12 @@ common_start() {
|
|||
|
||||
common_end() {
|
||||
|
||||
idhub_dc_f="docker-compose__${pilot}.yml"
|
||||
docker compose -p ${pilot} -f ${idhub_dc_f} down -v || true
|
||||
dc_file="docker-compose__${pilot}.yml"
|
||||
docker compose -p ${pilot} -f ${dc_file} down -v || true
|
||||
make idhub_build
|
||||
|
||||
if [ "${action:-}" = "deploy" ]; then
|
||||
docker compose -p ${pilot} -f ${idhub_dc_f} up ${detach:-}
|
||||
docker compose -p ${pilot} -f ${dc_file} up ${detach:-}
|
||||
fi
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ services:
|
|||
# src https://github.com/docker-library/docs/tree/master/nginx#complex-configuration
|
||||
- ./docker/nginx-orchestra-api.nginx.conf:/etc/nginx/nginx.conf:ro
|
||||
|
||||
idhub:
|
||||
idhub1:
|
||||
init: true
|
||||
image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest
|
||||
environment:
|
||||
|
|
@ -61,11 +61,44 @@ services:
|
|||
- RESPONSE_URI=https://idhub.demo.pangea.org/oidc4vp/
|
||||
- ALLOW_CODE_URI=https://idhub.demo.pangea.org/oidc4vp/allow_code
|
||||
- SUPPORTED_CREDENTIALS=['MembershipCard']
|
||||
- SYNC_ORG_DEV=${IDHUB_SYNC_ORG_DEV}
|
||||
- ORG_FILE=examples/organizations__pilot_pangea.csv
|
||||
ports:
|
||||
- 9021:9001
|
||||
volumes:
|
||||
- ./idhub1__pilot-pangea:/opt/idhub
|
||||
|
||||
idhub2:
|
||||
init: true
|
||||
image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest
|
||||
environment:
|
||||
- DEPLOYMENT=${IDHUB_DEPLOYMENT}
|
||||
- SECRET_KEY=${IDHUB_SECRET_KEY:-publicsecretisnotsecureVtmKBfxpVV47PpBCF2Nzz2H6qnbd}
|
||||
- ALLOWED_HOSTS=${IDHUB_ALLOWED_HOSTS:-*}
|
||||
- STATIC_ROOT=${IDHUB_STATIC_ROOT:-/static/}
|
||||
- MEDIA_ROOT=${IDHUB_MEDIA_ROOT:-/media/}
|
||||
- PORT=${IDHUB_PORT:-9001}
|
||||
- DJANGO_SUPERUSER_USERNAME=${IDHUB_USER}
|
||||
- DJANGO_SUPERUSER_PASSWORD=${IDHUB_PASSWD}
|
||||
- DJANGO_SUPERUSER_EMAIL=${IDHUB_EMAIL}
|
||||
- CSRF_TRUSTED_ORIGINS=https://idhub.demo.pangea.org
|
||||
- DEFAULT_FROM_EMAIL=${IDHUB_DEFAULT_FROM_EMAIL}
|
||||
- EMAIL_HOST=${IDHUB_EMAIL_HOST}
|
||||
- EMAIL_HOST_USER=${IDHUB_EMAIL_HOST_USER}
|
||||
- EMAIL_HOST_PASSWORD=${IDHUB_EMAIL_HOST_PASSWORD}
|
||||
- EMAIL_PORT=${IDHUB_EMAIL_PORT}
|
||||
- EMAIL_USE_TLS=${IDHUB_EMAIL_USE_TLS}
|
||||
- EMAIL_BACKEND=${IDHUB_EMAIL_BACKEND}
|
||||
- RESPONSE_URI=https://idhub.demo.pangea.org/oidc4vp/
|
||||
- ALLOW_CODE_URI=https://idhub.demo.pangea.org/oidc4vp/allow_code
|
||||
- SUPPORTED_CREDENTIALS=['MembershipCard']
|
||||
- SYNC_ORG_DEV=${IDHUB_SYNC_ORG_DEV}
|
||||
- ORG_FILE=examples/organizations__pilot_pangea.csv
|
||||
ports:
|
||||
- 9022:9002
|
||||
volumes:
|
||||
- ./idhub2__pilot-pangea:/opt/idhub
|
||||
|
||||
# from https://goauthentik.io/docs/installation/docker-compose
|
||||
# https://goauthentik.io/docker-compose.yml
|
||||
ga_postgresql:
|
||||
|
|
|
|||
|
|
@ -25,6 +25,8 @@ services:
|
|||
- RESPONSE_URI=https://idhub1-setem.demo.pangea.org/oidc4vp/
|
||||
- ALLOW_CODE_URI=https://idhub1-setem.demo.pangea.org/oidc4vp/allow_code
|
||||
- SUPPORTED_CREDENTIALS=['MembershipCard']
|
||||
- SYNC_ORG_DEV=${IDHUB_SYNC_ORG_DEV}
|
||||
- ORG_FILE=examples/organizations__pilot_setem.csv
|
||||
ports:
|
||||
- 9011:9001
|
||||
volumes:
|
||||
|
|
@ -55,6 +57,8 @@ services:
|
|||
- RESPONSE_URI=https://idhub2-setem.demo.pangea.org/oidc4vp/
|
||||
- ALLOW_CODE_URI=https://idhub2-setem.demo.pangea.org/oidc4vp/allow_code
|
||||
- SUPPORTED_CREDENTIALS=['MembershipCard']
|
||||
- SYNC_ORG_DEV=${IDHUB_SYNC_ORG_DEV}
|
||||
- ORG_FILE=examples/organizations__pilot_setem.csv
|
||||
ports:
|
||||
- 9012:9002
|
||||
volumes:
|
||||
|
|
|
|||
|
|
@ -25,6 +25,8 @@ services:
|
|||
- RESPONSE_URI=https://idhub1-xo9b.demo.pangea.org/oidc4vp/
|
||||
- ALLOW_CODE_URI=https://idhub1-xo9b.demo.pangea.org/oidc4vp/allow_code
|
||||
- SUPPORTED_CREDENTIALS=['MembershipCard']
|
||||
- SYNC_ORG_DEV=${IDHUB_SYNC_ORG_DEV}
|
||||
- ORG_FILE=examples/organizations__pilot_xo9b.csv
|
||||
ports:
|
||||
- 9001:9001
|
||||
volumes:
|
||||
|
|
@ -55,6 +57,8 @@ services:
|
|||
- RESPONSE_URI=https://idhub2-xo9b.demo.pangea.org/oidc4vp/
|
||||
- ALLOW_CODE_URI=https://idhub2-xo9b.demo.pangea.org/oidc4vp/allow_code
|
||||
- SUPPORTED_CREDENTIALS=['MembershipCard']
|
||||
- SYNC_ORG_DEV=${IDHUB_SYNC_ORG_DEV}
|
||||
- ORG_FILE=examples/organizations__pilot_xo9b.csv
|
||||
ports:
|
||||
- 9002:9002
|
||||
volumes:
|
||||
|
|
|
|||
Reference in a new issue