8866411ef3
This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
34 lines
1 KiB
Bash
34 lines
1 KiB
Bash
#!/bin/bash
|
|
# Get admin access token from Zitadel using username/password authentication
|
|
# This is used for initial OIDC app provisioning automation
|
|
|
|
set -e
|
|
|
|
DOMAIN="$1"
|
|
USERNAME="$2"
|
|
PASSWORD="$3"
|
|
|
|
if [ -z "$DOMAIN" ] || [ -z "$USERNAME" ] || [ -z "$PASSWORD" ]; then
|
|
echo "Usage: $0 <domain> <username> <password>" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Get OAuth token using Resource Owner Password Credentials flow
|
|
# Note: This is only for admin automation, not recommended for production apps
|
|
RESPONSE=$(curl -s -X POST "https://${DOMAIN}/oauth/v2/token" \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
-d "grant_type=password" \
|
|
-d "scope=openid profile email urn:zitadel:iam:org:project:id:zitadel:aud" \
|
|
-d "username=${USERNAME}" \
|
|
-d "password=${PASSWORD}")
|
|
|
|
# Extract access token
|
|
ACCESS_TOKEN=$(echo "$RESPONSE" | python3 -c "import sys, json; print(json.load(sys.stdin).get('access_token', ''))")
|
|
|
|
if [ -z "$ACCESS_TOKEN" ]; then
|
|
echo "Error: Failed to get access token" >&2
|
|
echo "$RESPONSE" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "$ACCESS_TOKEN"
|