Last active
April 8, 2020 12:07
-
-
Save mathieuancelin/0d05905cab009a7d17f99ceddb91c2f0 to your computer and use it in GitHub Desktop.
Revisions
-
mathieuancelin revised this gist
Apr 8, 2020 . 2 changed files with 117 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,107 @@ { "clientId": "otoroshi", "name": "otoroshi", "description": "otoroshi", "rootUrl": "http://localhost:8080", "adminUrl": "http://localhost:8080/*", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-x509", "redirectUris": [ "http://localhost:8080/*", "http://privateapps.oto.tools:9999/*" ], "webOrigins": [ "http://localhost:8080" ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": true, "authorizationServicesEnabled": true, "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { "saml.assertion.signature": "false", "x509.subjectdn": "CN=oto", "saml.force.post.binding": "false", "saml.multivalued.roles": "false", "saml.encrypt": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", "exclude.session.state.from.auth.response": "false", "saml_force_name_id_format": "false", "saml.client.signature": "false", "tls.client.certificate.bound.access.tokens": "true", "saml.authnstatement": "false", "display.on.consent.screen": "false", "saml.onetimeuse.condition": "false" }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": true, "nodeReRegistrationTimeout": -1, "protocolMappers": [ { "name": "Client ID", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { "user.session.note": "clientId", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "clientId", "jsonType.label": "String" } }, { "name": "Client Host", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { "user.session.note": "clientHost", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "clientHost", "jsonType.label": "String" } }, { "name": "Client IP Address", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { "user.session.note": "clientAddress", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "clientAddress", "jsonType.label": "String" } } ], "defaultClientScopes": [ "web-origins", "role_list", "roles", "profile", "email" ], "optionalClientScopes": [ "address", "phone", "offline_access", "microprofile-jwt" ], "access": { "view": true, "configure": true, "manage": true } } This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -26,6 +26,12 @@ openssl rsa -in $BASE/certs/izanami-client.key -out $BASE/certs/izanami-client.k openssl req -new -key $BASE/certs/izanami-client.key -out $BASE/certs/izanami-client.csr -subj "/CN=izanami" openssl x509 -req -days 365 -sha256 -in $BASE/certs/izanami-client.csr -CA $BASE/certs/ca-client.cer -CAkey $BASE/certs/ca-client.key -set_serial 2 -out $BASE/certs/izanami-client.cer openssl genrsa -out $BASE/certs/oto-client.key 2048 openssl rsa -in $BASE/certs/oto-client.key -out $BASE/certs/oto-client.key openssl req -new -key $BASE/certs/oto-client.key -out $BASE/certs/oto-client.csr -subj "/CN=oto" openssl x509 -req -days 365 -sha256 -in $BASE/certs/oto-client.csr -CA $BASE/certs/ca-client.cer -CAkey $BASE/certs/ca-client.key -set_serial 2 -out $BASE/certs/oto-client.cer cd $BASE mkdir $BASE/keycloak-tls @@ -44,7 +50,10 @@ docker run -d -p 8080:8080 -p 8443:8443 \ -v "$(pwd)/keycloak-tls/tls.crt:/etc/x509/https/tls.crt" \ -v "$(pwd)/keycloak-tls/tls.key:/etc/x509/https/tls.key" \ -v "$(pwd)/keycloak-tls/ca-client.bundle:/etc/x509/https/ca-client.bundle" \ -e "X509_CA_BUNDLE=/etc/x509/https/ca-client.bundle" \ -e "KEYCLOAK_USER=admin" \ -e "KEYCLOAK_PASSWORD=password" \ jboss/keycloak wait 30 -
Apr 7, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,57 @@ BASE=`pwd` rm -rf $BASE/keycloak-tls rm -rf $BASE/certs mkdir -p $BASE/certs cd certs openssl genrsa -out $BASE/certs/ca-keycloak.key 2048 openssl rsa -in $BASE/certs/ca-keycloak.key -out $BASE/certs/ca-keycloak.key openssl req -new -x509 -sha256 -days 365 -key $BASE/certs/ca-keycloak.key -out $BASE/certs/ca-keycloak.cer -subj "/CN=keycloak-ca" openssl genrsa -out $BASE/certs/ca-client.key 2048 openssl rsa -in $BASE/certs/ca-client.key -out $BASE/certs/ca-client.key openssl req -new -x509 -sha256 -days 365 -key $BASE/certs/ca-client.key -out $BASE/certs/ca-client.cer -subj "/CN=client-ca" openssl genrsa -out $BASE/certs/keycloak-server.key 2048 openssl rsa -in $BASE/certs/keycloak-server.key -out $BASE/certs/keycloak-server.key openssl req -new -key $BASE/certs/keycloak-server.key -sha256 -out $BASE/certs/keycloak-server.csr -subj "/CN=localhost" openssl x509 -req -days 365 -sha256 -in $BASE/certs/keycloak-server.csr -CA $BASE/certs/ca-keycloak.cer -CAkey $BASE/certs/ca-keycloak.key -set_serial 1 -out $BASE/certs/keycloak-server.cer openssl genrsa -out $BASE/certs/izanami-client.key 2048 openssl rsa -in $BASE/certs/izanami-client.key -out $BASE/certs/izanami-client.key openssl req -new -key $BASE/certs/izanami-client.key -out $BASE/certs/izanami-client.csr -subj "/CN=izanami" openssl x509 -req -days 365 -sha256 -in $BASE/certs/izanami-client.csr -CA $BASE/certs/ca-client.cer -CAkey $BASE/certs/ca-client.key -set_serial 2 -out $BASE/certs/izanami-client.cer cd $BASE mkdir $BASE/keycloak-tls cp $BASE/certs/keycloak-server.cer $BASE/keycloak-tls/tls.crt cp $BASE/certs/keycloak-server.key $BASE/keycloak-tls/tls.key echo "" >> $BASE/keycloak-tls/tls.crt cat $BASE/certs/ca-keycloak.cer >> $BASE/keycloak-tls/tls.crt cp $BASE/certs/ca-client.key $BASE/keycloak-tls/ca-client.bundle echo "" >> $BASE/keycloak-tls/ca-client.bundle cat $BASE/certs/ca-client.cer >> $BASE/keycloak-tls/ca-client.bundle cd $BASE docker run -d -p 8080:8080 -p 8443:8443 \ -v "$(pwd)/keycloak-tls/tls.crt:/etc/x509/https/tls.crt" \ -v "$(pwd)/keycloak-tls/tls.key:/etc/x509/https/tls.key" \ -v "$(pwd)/keycloak-tls/ca-client.bundle:/etc/x509/https/ca-client.bundle" \ -e "X509_CA_BUNDLE=/etc/x509/https/ca-client.bundle" jboss/keycloak wait 30 openssl s_client -connect localhost:8443 > tls-opt.txt # ne rend pas la main, il faut appuyer sur entrer curl -k -v https://localhost:8443 # works because of -f curl -v https://localhost:8443 --cacert ./certs/ca-keycloak.cer # works because no client cert but good server CA curl -v https://localhost:8443 --cacert ./certs/ca-keycloak.cer --key ./certs/keycloak-server.key --cert ./certs/keycloak-server.cer # fails curl -v https://localhost:8443 --cacert ./certs/ca-keycloak.cer --key ./certs/izanami-client.key --cert ./certs/izanami-client.cer # works docker kill $(docker ps -q) # WARNING kills everything