feat: Improve Passwordless Flow, and set Asymc enc

K-FOSS · Sep 22, 2021 · 3486197 · 3486197
1 parent 40629a4
commit 3486197
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 21 deletions.
diff --git a/Apps/Template/main.tf b/Apps/Template/main.tf
@@ -38,13 +38,6 @@ provider "consul" {
   address = "core0.site1.kristianjones.dev:8500"
 }
 
-provider "authentik" {
-  url   = var.URL
-  token = var.Token
-  # Optionally set insecure to ignore TLS Certificates
-  # insecure = true
-}
-
 resource "authentik_application" "Application" {
   name = "${var.AppName}"
   slug = "${var.AppName}-auth"
@@ -71,6 +64,8 @@ resource "authentik_provider_oauth2" "OID" {
   client_secret      = random_password.ClientSecret.result
 
   authorization_flow = var.AuthorizationFlow.UUID
+
+  jwt_alg = "RS256"
 }
 
 resource "authentik_policy_expression" "policy" {

diff --git a/Apps/Template/variables.tf b/Apps/Template/variables.tf
@@ -2,18 +2,22 @@ variable "AppName" {
   type = string
 }
 
-variable "AuthorizationFlow" {
-  type = object({
-    UUID = string
+variable "OpenID" {
+  value = object({
+    URL = string
+
+    RedirectURL = any
   })
-}
 
-variable "URL" {
-  type = string
+  default = {
+    URL = "https://auth.kristianjones.dev"
+  }
 }
 
-variable "Token" {
-  type = string
+variable "AuthorizationFlow" {
+  type = object({
+    UUID = string
+  })
 }
 
 variable "VaultPath" {

diff --git a/Flows/BasePasswordless/main.tf b/Flows/BasePasswordless/main.tf
@@ -18,6 +18,11 @@ terraform {
   }
 }
 
+resource "authentik_stage_identification" "UserIdentification" {
+  name           = "person-ident"
+  user_fields    = ["username", "email"]
+}
+
 resource "authentik_stage_authenticator_webauthn" "Passwordless" {
   name = "basewebauthn-passwordless-core"
 }
@@ -29,8 +34,15 @@ resource "authentik_flow" "Flow" {
   designation = "authorization"
 }
 
-resource "authentik_flow_stage_binding" "FlowBinding" {
+resource "authentik_flow_stage_binding" "UserIdentification" {
   target = authentik_flow.Flow.uuid
-  stage  = authentik_stage_authenticator_webauthn.Passwordless.id
+
+  stage  = authentik_stage_identification.UserIdentification.id
   order  = 0
+}
+
+resource "authentik_flow_stage_binding" "WebAuthnBinding" {
+  target = authentik_flow.Flow.uuid
+  stage  = authentik_stage_authenticator_webauthn.Passwordless.id
+  order  = 10
 }
diff --git a/main.tf b/main.tf
@@ -60,15 +60,28 @@ module "BasePasswordlessFlow" {
 # Applications
 #
 
+#
+# Pomerium
+#
+
 module "PomeriumApp" {
   source = "./Apps/Template"
 
   AppName = "pomeriumproxy"
 
   AuthorizationFlow = module.BasePasswordlessFlow.Flow
 
-  URL   = module.Vault.Authentik.URL
-  Token = module.Vault.Authentik.Token
-
   VaultPath = module.Vault.Authentik.VaultPath
-}
+
+  OpenID = {
+    URL = "https://auth.kristianjones.dev"
+  }
+}
+
+#
+# Hashicorp
+# 
+
+#
+# Hashicorp Vault
+#