An IdP for OpenConext. A user can create and manage his own identity. Authentication uses a magic-link by default, and FIDO2 or a password can be added later.
- Java 11
- Maven 3
- MongoDB 3.4.x
- Yarn 1.x
- NodeJS
- Ansible
This project uses Spring Boot and Maven. To run locally, type:
cd myconext-server
mvn spring-boot:run -Dspring-boot.run.profiles=dev
When developing, it's convenient to just execute the applications main-method, which is in Application. Don't forget to set the active profile to dev.
The myconext client is build with Svelte and to get initially started:
cd account-gui
yarn install
yarn dev
Browse to the application homepage.
The IdP is also build with Svelte and to get initially started:
cd myconext-gui
yarn install
yarn start
There is no home page, you'll need to visit an SP and choose eduID to login.
To deploy production bundles
mvn deploy
The default mail configuration sends mails to port 1025. Install https://mailpit.axllent.org/ and capture all emails send. You can see all mails delivered at http://0.0.0.0:8025/ when mailpit is installed.
brew install mailpit
The myconext application uses a private RSA key and corresponding certificate to sign the SAML requests. We don't want to provide defaults, so in the integration tests the key / certificate pair is generated on the fly. if you want to deploy the application in an environment where the certificate needs to be registered with the Service Provider (Proxy) then you can generate a key pair with the following commands:
cd myconext/myconext-server/src/main/resources
openssl genrsa -traditional -out myconext.pem 2048
openssl req -subj '/O=Organization, CN=OIDC/' -key myconext.pem -new -x509 -days 365 -out myconext.crt
Add the key pair to the application.yml file:
private_key_path: classpath:/myconext.pem
certificate_path: classpath:/myconext.crt
If you need to register the public key in EB then issue this command and copy & paste it in Manage for the correct IdP:
cat myconext.crt |ghead -n -1 |tail -n +2 | tr -d '\n'; echo
To get an overview of the git source file's:
cloc --read-lang-def=cloc_definitions.txt --vcs=git
It's possible to migrate from an existing IdP to this IdP. A new identity will be created, and the eppn wil be copied.
curl -u oidcng:secret "http://login.test2.eduid.nl/myconext/api/attribute-manipulation?sp_entity_id=https://test.okke&uid=0eaa7fb2-4f94-476f-b3f6-c8dfc4115a87&sp_institution_guid=null"
curl -u aa:secret "https://login.test2.eduid.nl/myconext/api/attribute-aggregation?sp_entity_id=https://mijn.test2.eduid.nl/shibboleth&eduperson_principal_name=j.doe@example.com"
Endpoint to detect duplicate eduID's for SP's that have the same institutionGuid
curl -u aa:secret 'https://login.test2.eduid.nl/myconext/api/system/eduid-duplicates' | jq .
http://localhost:8081/myconext/api/swagger-ui/index.html
http://localhost:8081/myconext/api/api-docs
https://login.test2.eduid.nl/myconext/api/swagger-ui/index.html
https://login.test2.eduid.nl/myconext/api/api-docs
The redirect URI's for local development have to start with https. You can use the reverse proxy of ngrok for this. For example:
ngrok http --domain okke.harsta.eu.ngrok.io 8081
The idp_metadata.xml file contains the IdP metadata for localhost development. Import an IdP in Manage and whitelist this for the SP's you want to test with. The OIDC-Playground is capable of testing the different ACR options.