Re: [PATCH 3/4] Crude OpenID Connect client using Authlib

2020-06-06 Thread Frédéric Mangano-Tarumi 
Lukas Fleischer [2020-06-06 08:42:05 -0400]
> > +; Passphrase FastAPI uses to sign client-side sessions.
> > +session_secret = 
> > \u6975\u79d8\u3001\u8a33\u3059\u306a\uff01\u3042\u3001\u9045\u904e\u304e\u305f\u3002
> 
> Nit: Since this is not really a secret, can we just use a plain text
> value (e.g. "secret") here? I know we had a similar discussion before,
> but I don't like the idea of having binary data in text configuration
> files since it might cause all sorts of issues with different tools (and
> even if that means the tools are bad, it's better to avoid it
> altogether).

It is plain UTF-8 already. Feel free to replace it by whatever you like.
I don’t think it deserves a new patch submission.

I realize I forgot to mention one important thing: python-authlib and
python-httpx are not yet in Arch’s repos.

Re: [PATCH 4/4] Guide to setting up Keycloak for the SSO

2020-06-06 Thread Lukas Fleischer 
On Thu, 04 Jun 2020 at 16:00:34, Frédéric Mangano-Tarumi wrote:
> ---
>  conf/config.dev |  2 +-
>  doc/SSO | 38 ++

Nit: Can we name this file sso.txt, following the convention in the doc/
directory?

>  2 files changed, 39 insertions(+), 1 deletion(-)
>  create mode 100644 doc/SSO

Looks good otherwise, thanks!

Re: [PATCH 3/4] Crude OpenID Connect client using Authlib

2020-06-06 Thread Lukas Fleischer 
On Thu, 04 Jun 2020 at 16:00:20, Frédéric Mangano-Tarumi wrote:
> Developers can go to /sso/login to get redirected to the SSO. On
> successful login, the ID token is displayed.
> ---
>  .gitlab-ci.yml |  3 ++-
>  TESTING|  3 ++-
>  aurweb/asgi.py | 13 +
>  aurweb/routers/__init__.py |  5 +
>  aurweb/routers/sso.py  | 30 ++
>  aurweb/spawn.py|  3 +++
>  conf/config.defaults   |  8 
>  conf/config.dev|  9 +
>  8 files changed, 72 insertions(+), 2 deletions(-)
>  create mode 100644 aurweb/routers/__init__.py
>  create mode 100644 aurweb/routers/sso.py
> [...]
> diff --git a/conf/config.dev b/conf/config.dev
> index d752f61f..27e981f8 100644
> --- a/conf/config.dev
> +++ b/conf/config.dev
> @@ -20,6 +20,12 @@ aur_location = http://127.0.0.1:8080
>  disable_http_login = 0
>  enable-maintenance = 0
>  
> +; Single sign-on
> +[sso]
> +openid_configuration = 
> http://127.0.0.1:8083/auth/realms/aurweb/.well-known/openid-configuration
> +client_id = aurweb
> +client_secret =
> +
>  [php]
>  ; Address PHP should bind when spawned in development mode by aurweb.spawn.
>  bind_address = 127.0.0.1:8081
> @@ -30,3 +36,6 @@ htmldir = YOUR_AUR_ROOT/web/html
>  [fastapi]
>  ; Address uvicorn should bind when spawned in development mode by 
> aurweb.spawn.
>  bind_address = 127.0.0.1:8082
> +
> +; Passphrase FastAPI uses to sign client-side sessions.
> +session_secret = 
> \u6975\u79d8\u3001\u8a33\u3059\u306a\uff01\u3042\u3001\u9045\u904e\u304e\u305f\u3002

Nit: Since this is not really a secret, can we just use a plain text
value (e.g. "secret") here? I know we had a similar discussion before,
but I don't like the idea of having binary data in text configuration
files since it might cause all sorts of issues with different tools (and
even if that means the tools are bad, it's better to avoid it
altogether).