From 348619769940e657e6998c4cad5bd709a188e2c1 Mon Sep 17 00:00:00 2001 From: Kristian Jones Date: Wed, 22 Sep 2021 12:51:29 +0000 Subject: [PATCH] feat: Improve Passwordless Flow, and set Asymc enc --- Apps/Template/main.tf | 9 ++------- Apps/Template/variables.tf | 20 ++++++++++++-------- Flows/BasePasswordless/main.tf | 16 ++++++++++++++-- main.tf | 21 +++++++++++++++++---- 4 files changed, 45 insertions(+), 21 deletions(-) diff --git a/Apps/Template/main.tf b/Apps/Template/main.tf index 7b436ab..ef9fca2 100644 --- a/Apps/Template/main.tf +++ b/Apps/Template/main.tf @@ -38,13 +38,6 @@ provider "consul" { address = "core0.site1.kristianjones.dev:8500" } -provider "authentik" { - url = var.URL - token = var.Token - # Optionally set insecure to ignore TLS Certificates - # insecure = true -} - resource "authentik_application" "Application" { name = "${var.AppName}" slug = "${var.AppName}-auth" @@ -71,6 +64,8 @@ resource "authentik_provider_oauth2" "OID" { client_secret = random_password.ClientSecret.result authorization_flow = var.AuthorizationFlow.UUID + + jwt_alg = "RS256" } resource "authentik_policy_expression" "policy" { diff --git a/Apps/Template/variables.tf b/Apps/Template/variables.tf index e44eeba..e6931d9 100644 --- a/Apps/Template/variables.tf +++ b/Apps/Template/variables.tf @@ -2,18 +2,22 @@ variable "AppName" { type = string } -variable "AuthorizationFlow" { - type = object({ - UUID = string +variable "OpenID" { + value = object({ + URL = string + + RedirectURL = any }) -} -variable "URL" { - type = string + default = { + URL = "https://auth.kristianjones.dev" + } } -variable "Token" { - type = string +variable "AuthorizationFlow" { + type = object({ + UUID = string + }) } variable "VaultPath" { diff --git a/Flows/BasePasswordless/main.tf b/Flows/BasePasswordless/main.tf index 160c95a..22214ff 100644 --- a/Flows/BasePasswordless/main.tf +++ b/Flows/BasePasswordless/main.tf @@ -18,6 +18,11 @@ terraform { } } +resource "authentik_stage_identification" "UserIdentification" { + name = "person-ident" + user_fields = ["username", "email"] +} + resource "authentik_stage_authenticator_webauthn" "Passwordless" { name = "basewebauthn-passwordless-core" } @@ -29,8 +34,15 @@ resource "authentik_flow" "Flow" { designation = "authorization" } -resource "authentik_flow_stage_binding" "FlowBinding" { +resource "authentik_flow_stage_binding" "UserIdentification" { target = authentik_flow.Flow.uuid - stage = authentik_stage_authenticator_webauthn.Passwordless.id + + stage = authentik_stage_identification.UserIdentification.id order = 0 +} + +resource "authentik_flow_stage_binding" "WebAuthnBinding" { + target = authentik_flow.Flow.uuid + stage = authentik_stage_authenticator_webauthn.Passwordless.id + order = 10 } \ No newline at end of file diff --git a/main.tf b/main.tf index ed5d634..07537c0 100644 --- a/main.tf +++ b/main.tf @@ -60,6 +60,10 @@ module "BasePasswordlessFlow" { # Applications # +# +# Pomerium +# + module "PomeriumApp" { source = "./Apps/Template" @@ -67,8 +71,17 @@ module "PomeriumApp" { AuthorizationFlow = module.BasePasswordlessFlow.Flow - URL = module.Vault.Authentik.URL - Token = module.Vault.Authentik.Token - VaultPath = module.Vault.Authentik.VaultPath -} \ No newline at end of file + + OpenID = { + URL = "https://auth.kristianjones.dev" + } +} + +# +# Hashicorp +# + +# +# Hashicorp Vault +#