blob: 324451665629d6680ec7823d4654f8072e4f674e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
# VPNAuth
OAuth2/OIDC Server recognizing users based on their IP.
## The idea
The idea of VPNAuth is that you only need to log into your VPN and from then you get automatically logged into your apps
as you get recognized with your static ip you get assigned from your VPN.
## Set-up
I recommend to use the ``flake.nix`` to install the project on NixOS.
VPNAuth will automatically generate the sqlite database and the ``config.json`` in the directory where the process runs
from.
### The Database
You need to apply the ef core migrations to create and update the database as VPNAuth needs it.
The recommended way to do that is described
[here](https://learn.microsoft.com/en-us/ef/core/managing-schemas/migrations/applying?tabs=dotnet-core-cli#sql-scripts).
### The Config
Here is an example ``config.json`` with explanations:
``` JSON
{
"Users": [ // A list with the user objects.
{
"Username": "tim", // The username of the user.
"Ips": [ // A list with the ips of the user as strings, the server uses them to recognize the user.
"127.0.0.1"
]
}
],
"Apps": [ // A list with the app objects that the users can log into.
{
"ClientId": "test-app", // The client id of the app used in the OAuth2 flow.
"RedirectUri": "http://127.0.0.1:8082/api/oauth2-redirect", // The user gets redirected to this uri when they accept or deny the login request.
"Secret": "mysecret", // The app secret used in the OAuth2 flow.
"AllowedUsers": ["tim"] // This key is OPTIONAL - when providden, only the users with their username as a string in that list can log into the app.
}
]
}
```
(Remember that this config is invalid as the JSON standard does not allow comments.)
## Endpoints
| Uri | Protocol | Description | Response status codes and their meaning |
|-------------------|----------|----------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ``/auth`` | OAuth | Autorization request - initializes the authorization process | / |
| ``/access-token`` | OAuth | Endpoint where client requests the access token with the issued code in PKCE challenge | - ``400``: The form does not require required parameters<br/>- ``403``: client secret or code challenge is wrong<br/> - ``404``: invalid auth code |
| ``/user-info`` | OIDC | Endpoint where the client requests information about the user | - ``405``: Request method is not ``GET`` or ``POST``<br/> - ``400``/``401``: invalid authorization header<br/> - ``403``: invalid token or not all required scopes<br/> - ``204``: User has not set any user information yet |
You find out how to reach me [here](https://bytim.eu/contact) if you have any questions or feedback.
**The [OAuth2](https://datatracker.ietf.org/doc/html/rfc6749), [PKCE](https://datatracker.ietf.org/doc/html/rfc7636)
and [OIDC](https://openid.net/specs/openid-connect-core-1_0.html) Protocols are not fully implemented!**
|
