feat: support open id connect (#211)

* feat: support open id connect

* Update auth_backend_deploy.yaml

---------

Co-authored-by: liuyu <>

frameworks/app-service/config/cluster/deploy/appservice_deploy.yaml

@@ -153,7 +153,7 @@ spec:
       serviceAccount: os-internal
       containers:
       - name: app-service
-        image: beclab/app-service:0.2.15
+        image: beclab/app-service:0.2.16
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsUser: 0

frameworks/bfl/config/launcher/templates/bfl_deploy.yaml

@@ -289,7 +289,7 @@ spec:
           value: v0.1.0
 
       - name: ingress
-        image: beclab/bfl-ingress:v0.2.9
+        image: beclab/bfl-ingress:v0.2.10
         imagePullPolicy: IfNotPresent
         volumeMounts:
         - name: ngxlog

third-party/authelia/config/cluster/deploy/auth_backend_deploy.yaml

@@ -4,16 +4,19 @@
 {{- $auth_secret := (lookup "v1" "Secret" .Release.Namespace "authelia-secrets") -}}
 {{- $jwt_secret := "" -}}
 {{- $session_secret := "" -}}
+{{- $hmac_secret := "" -}}
 {{- $encryption_key := "" -}}
 {{- $redis_password := "" -}}
 {{ if $auth_secret -}}
 {{- $jwt_secret = (index $auth_secret "data" "jwt_secret") -}}
 {{- $session_secret = (index $auth_secret "data" "session_secret") -}}
+{{- $hmac_secret = (index $auth_secret "data" "hmac_secret") -}}
 {{- $encryption_key = (index $auth_secret "data" "encryption_key") -}}
 {{- $redis_password = (index $auth_secret "data" "redis_password") -}}
 {{ else -}}
 {{ $jwt_secret = randAlphaNum 16 | b64enc }}
 {{ $session_secret = randAlphaNum 16 | b64enc }}
+{{ $hmac_secret = randAlphaNum 16 | b64enc }}
 {{ $encryption_key = randAlphaNum 32 | b64enc }}
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
@@ -28,6 +31,7 @@ type: Opaque
 data:
   jwt_secret: {{ $jwt_secret }}
   session_secret: {{ $session_secret }}
+  hmac_secret: {{ $hmac_secret }}
   encryption_key: {{ $encryption_key }}
   redis_password: {{ $redis_password }}
 
@@ -104,7 +108,132 @@ data:
       disable_startup_check: false
       filesystem:
         filename: /app/notification.txt
-
+    identity_providers:
+      oidc:
+        hmac_secret: {{ $hmac_secret | b64dec }}
+        issuer_certificate_chain: |
+          -----BEGIN CERTIFICATE-----
+          MIIFDTCCAvWgAwIBAgIUTY+5CtZNunClFgmYWiqPsR96k60wDQYJKoZIhvcNAQEL
+          BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjQwNzA0MDcwMzMyWhcNMjUw
+          NzA0MDcwMzMyWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcN
+          AQEBBQADggIPADCCAgoCggIBAJ1/Z5iEMdkVNiR4moMLjtIvqgWnkjG3RAQH+f+M
+          KiKBNoD1lKNJyZ8Pi0ntCcwb7Gcb1sFf5Pu9mP+i/rn+PJQMSx/r/QYhUa+0t9V4
+          NVsGTettGEfcUtzQsyJtO7DGCUqcX1p7Kum1FOyTK1ENgTR5wnRLeIAbtTDZmZWl
+          R8Y5NMDS67j6tGImY2R0pvI9i9J6I5ZXln/lj/6J8cIlJX+wY3RV/uo4cSAZ1Ng+
+          zfP9S9H1+5l4s8Glf8FnQ0aplfcIEZh+K7sxufubZL57Z14R9rHIUq38knBLfJDZ
+          3Xx8zWqVO0/Sm9hUJ4IaohC1TjBpywJ9bHwrXHZbbwCKfDvSWcxfO+1gs0F63a6/
+          o34TYN9s3yamsootBoy9xIZN/jghLkVGGh2YH7yBdLrOA/Y+SbqpsySc+hBsHSTO
+          0CJ06WCCf1QGgaPvRGaNg49+0pmODb5yrtsAQpmSe9PKkpwRHy8AvPwKvF225HjX
+          16luku1XbzACOZCKXd8mosEJtpBa5lsR5OiGzbXN/ZKtF12Jl2/gNJ32qTiWninK
+          3A5VXz+C1lPNFB5/PfJSYsOdHiTXvCVqP9oHPDhETcb271VhfeQ4CHjI06uBiYeW
+          tXxEJVj1gDpSqTFmSO9fdfAFt+OM8ljmxZ22yUdoKgYhH5z9teJ8Rs2ehhUOVO9I
+          H72tAgMBAAGjUzBRMB0GA1UdDgQWBBS4/5RB4sjqsOTIuCPJkEW66TTeoTAfBgNV
+          HSMEGDAWgBS4/5RB4sjqsOTIuCPJkEW66TTeoTAPBgNVHRMBAf8EBTADAQH/MA0G
+          CSqGSIb3DQEBCwUAA4ICAQA7RkClRVWgUnmuUuoN5PfCj2rEHQ2PmucOEBjr09kF
+          orSifS7xAuzVlA77I+t+NAN9UfgMXh2ar1J0Z0XPi1KBZ2aC9Jb0M0EShIYPYaF0
+          I3PQuDamswV2QEifWmJnuSrhvhLVMtxN/XOsGHzG0xtlPInD7KRkfTpOgZFyNbQ8
+          ud+aGXq+w5AK/sYgFJfBR1y4DCCSL/BGHg4PZjh+u5oZLkfI6f9CMqZNw/hpzxFu
+          p9xmvjiMF1PuxiA1c5mUuWEsPepwfzSQLH254+6tvaAW+MBC5Q5H1Q0EPkQUZQLf
+          wVNmQYCak8b4gf872o7OsPi5pJHCUBATZw33bzz280XuSxU3hxnmTbVO6IHUyFo2
+          mTmajQfRNn6KPUJl06M+AvCpovpOxVT8iRmPOnigw86CRdWpAvPleMdR/TuV1QLH
+          2gzOtFbKu+Cy8aoJHQBiL9vD7Odn+fLw0PrQXM1b0SSmJ9dv489fjQHIh9rlFxOI
+          j52MZr7P+4iMZSMhwV5SzUuotVFYPGd3OMoa3ilkI+ZzgXDuMZRU2Tt9MRU/V9vH
+          5BHN5aLWNKwPyjjVFj2jaHVAk9GHht/33jbHj666X+KdJ4Hq67xy69/1/tBSKYe9
+          1oC+QpNhZtiUmnU3NGDDvEk3lZU9zDR51pQf1o0pV+o1BGBeDa5jmHSvelif/w5b
+          uQ==
+          -----END CERTIFICATE-----
+        issuer_private_key: |
+          -----BEGIN PRIVATE KEY-----
+          MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCdf2eYhDHZFTYk
+          eJqDC47SL6oFp5Ixt0QEB/n/jCoigTaA9ZSjScmfD4tJ7QnMG+xnG9bBX+T7vZj/
+          ov65/jyUDEsf6/0GIVGvtLfVeDVbBk3rbRhH3FLc0LMibTuwxglKnF9aeyrptRTs
+          kytRDYE0ecJ0S3iAG7Uw2ZmVpUfGOTTA0uu4+rRiJmNkdKbyPYvSeiOWV5Z/5Y/+
+          ifHCJSV/sGN0Vf7qOHEgGdTYPs3z/UvR9fuZeLPBpX/BZ0NGqZX3CBGYfiu7Mbn7
+          m2S+e2deEfaxyFKt/JJwS3yQ2d18fM1qlTtP0pvYVCeCGqIQtU4wacsCfWx8K1x2
+          W28Ainw70lnMXzvtYLNBet2uv6N+E2DfbN8mprKKLQaMvcSGTf44IS5FRhodmB+8
+          gXS6zgP2Pkm6qbMknPoQbB0kztAidOlggn9UBoGj70RmjYOPftKZjg2+cq7bAEKZ
+          knvTypKcER8vALz8CrxdtuR419epbpLtV28wAjmQil3fJqLBCbaQWuZbEeTohs21
+          zf2SrRddiZdv4DSd9qk4lp4pytwOVV8/gtZTzRQefz3yUmLDnR4k17wlaj/aBzw4
+          RE3G9u9VYX3kOAh4yNOrgYmHlrV8RCVY9YA6UqkxZkjvX3XwBbfjjPJY5sWdtslH
+          aCoGIR+c/bXifEbNnoYVDlTvSB+9rQIDAQABAoICAA8QydsYAiCu27//XWBdsaq/
+          bnceAWkKC9KK5MoiIUGttIX/d9lqzIOPnBZVO1Ov9Bwk2JUk1CWUjFcfw1gNTsQm
+          rOT/0PNOKp8xHUipOAleAAQeKm1tUOvYdto7MrOFLgxaCvD/ySoT7U14AnO9Y/ee
+          EhDHy14NyHZEymE7LzNx827ifjPyn2CoJWfNlM6lPoPCtTbDaB0R24VQsrSMkxq0
+          x76wHzNOdNvKPMb2swK83wzVh9y1ZBSI/UCF3TScMkEwH2bD4vEEH7NGuQtTiJ7B
+          /yQgcnA8MdHWFrNQc9Rdp9SjM8o97jRyUFksrQYGIdWVuRqi3sa96xlTQ7n8hUeZ
+          JFoS4h8FQQDDYKWQU/zuAyrKCNoDn+KlK/UdYBgIGSZa3/pf5sM3UHTqFjMrgWvD
+          92FaipyUK643nXQjbvJ4nekRQFUssx5NgkhlH3ottwGwLRzPXSceidZlQJrJ/Nht
+          XXcZEeWG2KGRzayDj2l/Fml4CNWoxXGe171uAj1XvP/xm4mdOSzXEOTMxsCoBf3r
+          YOeMm1470hLHDQ8rEo42fJSt0JJkOPX4ygEgwYPuy57FlJhVYUARNrOl0Xn2MetU
+          d/Kc/oLZ9rnVLumZSo6USm28xLMJRRF2tjA6eH2sSw/NQ0HkEXa6urF7LAlCcSvy
+          SvouOvLzWOM7d93gx2ahAoIBAQDXRbTJzawLG3LnRoVRXI37U0++nMOG3M5DhDOZ
+          FazqiVGP+moCKn9PCaM3yzab2ew+2SkPDIoOwnk4cj/tYUeqU+J31PeopwwY/vo1
+          +zECiBHpCktMxNPQwphqGQkHaGgODQ+pTyTSyTc9J651rnzTrlsjmp9X2xs8SWeg
+          PTmig7GnC96UXJ2ZW5RMoQlevP/qMjgexxAiOY10NQHERJXpSO+OZgRZqQ8cHpTy
+          +ydXUAM8+/pfKKYCacZ12nM8bg3Gk3SmQPnwx8Fz2tLpg8NMiJtMtbvDqLtBmlb6
+          sU2WsoV4TINX1uLSmQHmvVVcJAz+hOmvq2MQmGZIQpWJuFpFAoIBAQC7S39g/U6h
+          q1NmaMZSuy/hKmZD0J3Trhy7TJi2DNYyCbAhyesIbrxL9UxZ6QFzmZdv+jagAHAN
+          5nmK/PGA5MBt3vgNd4C1jq3c3Ni0J1StU9LwPcOTRizEY6rJR3ieBOcw7xD8fOJ/
+          793PkILzs+6i+2qdQZGKBdQSxYUiMus/aRzpXp9AXm7vVcvYXDEmjWmx5rYUshVG
+          UJvbUnvGU8sx3RgynxmOUIy5AFU3HULUVzGvhWiqaIesLUToFyDxMGc8sjOVfYHY
+          rSR+Rv3YmKzN6yUBwSaj5865qlnOYY+Tif+dM1L+J6na3FhgkkhfnEbMzY7c0EqR
+          XYIqmwOYNgBJAoIBAHZCuf2++kujyazaJfU7dlhiPUXG0vdsp/eZUctAiBzUUTVa
+          aRBFjmi6L6s//QEDZ/Bi1laJGfLfzT5ALXRX48njiV8xZNiG5HN657PuCc+NNuGi
+          IRnMa1yc+qQWmsoyBi/p5vepHd6aYbk76nCF6ddUSoc1s2HNYZnt7XqvB9GKrXbK
+          Y313n7CXCdJLCV29UI21BvWJgAh9O4Nid1T+JKjiw4+j5bHn2QAmoMcXSFaEAzNm
+          bfYG26QpvbgSyQmin/i+GvAWc/hdlJ3z0bgtBYYu6bnrgHoNYMm6YxwXeTtXWVFs
+          Hx+LUlJFcjDzREh5GZZdKA+0hJiiUFZUFdhxqU0CggEBAK2Q2FlMRNsjRuVngSpX
+          15YFUcHUiP4KowubfwVuPe0e9z9IvGsTG6IUjw3fFP5IvoMB0C9UWIM5Kzd3EmLN
+          Gdp3v03Tic42i75aVuQUcq8xOBB0XFKVvJS+fB2NAyUFDC5XzVj+bnP7GIXquMAY
+          5bPZ48IZakMLBa3jp2263DDmOum1S0U+ffWDf6VgQhglAmbfk6r4ISkJOHX2KUfw
+          jSQHbQ40TF2LHe2vdkjd7/mRWDT9H7KTre8MAIhILrn0jic8SPtm1La0NVZkeYeI
+          bNNi7ueCVEmeXv/F8vWDiadDQkMuteFbZlewzKGpzjH0Q9Q1Rggxanjtu9u5zYn3
+          uSkCggEBAMtRkICZpBDXHLMzXmeeMP754SON2/mbqNwZJFrDbbUxNo+OCfVNzFsN
+          CPTJ4wZyXhO2rxRkZbZqSTRWCboOqjqcEInSMZK/bpG6Mn/w0sBVKShzaBwj+h9o
+          7Oy2jg+hrLs/CNCFVWajO/Emrl18qQXNj0lp5M9vnhkn4GLFCRDdwcsWPxoPjg5x
+          Rx+4apd5v54xVCiTMqA6UtoE3CYX6MAAxGS7eN31bFtGeUhfMZW/ikKyy0C4mgVK
+          2AUQXmrLiuGFXjkHox5Ib9NeLk7j0JejykkcKvmIXoc+w4lPM+W0jBXGCwfhkR5u
+          1lfw6aleWRKlBuNJVrNWcNzUavPcNcQ=
+          -----END PRIVATE KEY-----
+        access_token_lifespan: 1h
+        authorize_code_lifespan: 1m
+        id_token_lifespan: 1h
+        refresh_token_lifespan: 90m
+        enable_client_debug_messages: false
+        enforce_pkce: public_clients_only
+        cors:
+          endpoints:
+            - authorization
+            - token
+            - revocation
+            - introspection
+        clients:
+          - id: example
+            description: example
+            secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
+            sector_identifier: ''
+            public: false
+            authorization_policy: two_factor
+            consent_mode: implicit
+            pre_configured_consent_duration: 1w
+            audience: []
+            scopes:
+              - openid
+              - groups
+              - email
+              - profile
+            redirect_uris:
+              - https://www.example.com/auth/auth/openid_connect/callback
+            grant_types:
+              - refresh_token
+              - authorization_code
+            response_types:
+              - code
+            response_modes:
+              - form_post
+              - query
+              - fragment
+            userinfo_signing_algorithm: none
   # users_database.yaml: |
   #   users:
   #     authelia:
@@ -145,7 +274,7 @@ spec:
       serviceAccount: os-internal
       containers:
       - name: authelia
-        image: beclab/auth:0.1.30
+        image: beclab/auth:0.1.31
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 9091