[GNUnet-SVN] [gnunet] branch master updated: update docs for reclaim

[gnunet]

This is an automated email from the git hooks/post-receive script.

martin-schanzenbach pushed a commit to branch master
in repository gnunet.

The following commit(s) were added to refs/heads/master by this push:
     new 965845e9c update docs for reclaim
965845e9c is described below

commit 965845e9c3612f40c4761d843f807f613fd635e9
Author: Schanzenbach, Martin <address@hidden>
AuthorDate: Sat Sep 8 09:11:44 2018 +0200

    update docs for reclaim
---
 doc/documentation/chapters/user.texi | 119 ++++++++++++++++++++++++++++++++++-
 1 file changed, 117 insertions(+), 2 deletions(-)

diff --git a/doc/documentation/chapters/user.texi 
b/doc/documentation/chapters/user.texi
index 50b795197..9a5c41d34 100644
--- a/doc/documentation/chapters/user.texi
+++ b/doc/documentation/chapters/user.texi
@@ -1972,7 +1972,7 @@ $ gnunet-reclaim -e "friend" -T (TODO there is only a 
REST API for this ATM)
 If you want to revoke the access of a third party to your attributes you can 
execute:
 
 @example
-$ gnunet-idp -e "username" -R "ticket"
+$ gnunet-reclaim -e "username" -R "ticket"
 @end example
 
 This will prevent the third party from accessing the attribute in the future.
@@ -1983,7 +1983,122 @@ This behaviour is _exactly the same_ as with other IdPs.
 @node Using the OpenID-Connect IdP
 @subsection Using the OpenID-Connect IdP
 
-TODO: Document setup and REST endpoints
address@hidden Preliminaries
address@hidden Preliminaries
+
address@hidden
+$ gnunet-identity -C id
+$ openssl genrsa -des3 -passout pass:xxxx -out server.pass.key 2048
+$ openssl rsa -passin pass:xxxx -in server.pass.key -out 
/etc/reclaim/reclaim.id.key
+$ rm server.pass.key
+$ openssl req -new -key /etc/reclaim/reclaim.id.key -out server.csr \
+  -subj "/CN=reclaim.id.local"
+$ openssl x509 -req -days 365 -in server.csr -signkey 
/etc/reclaim/reclaim.id.key -out /etc/reclaim/reclaim.id.crt
+$ openssl x509 -in /etc/reclaim/reclaim.id.crt -out 
/etc/reclaim/reclaim.id.der -outform DER
+$ HEXCERT=`xxd -p /etc/reclaim/reclaim.id.der | tr -d '\n'`
+$ BOXVALUE="6 443 52 3 0 0 $HEXCERT"
+$ gnunet-namestore -z id -a -n reclaim -t A -V "127.0.0.1" -e 1d -p
+$ gnunet-namestore -z id -a -n reclaim -t LEHO -V "reclaim.id.local" -e 1d -p
+$ gnunet-namestore -z id -a -n reclaim -t BOX -V "$BOXVALUE" -e 1d -p
address@hidden example
+
+NGINX setup:
address@hidden
+server {
+    listen 443;
+    server_name reclaim.id.local;
+    ssl on;
+    ssl_certificate /etc/reclaim/reclaim.id.crt;
+    ssl_certificate_key /etc/reclaim/reclaim.id.key;
+    ssl_session_timeout 30m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_session_cache shared:SSL:10m;
+
+    location /api {
+      rewrite    /api/(.*) /$1 break;
+      proxy_pass http://127.0.0.1:7776;
+    }
+}
address@hidden example
+
+This will expose the REST API of GNUnet at https://reclaim.id/api.
+
address@hidden For Users
address@hidden For Users
+
+To use the OpenID Connect Identity Provider as an end user, you must first 
intall the User Interface from TODOINSERTURLHERE.
+
+Start the user interface using:
+
address@hidden
+$ yarn run build --prod
address@hidden example
+
+Now setup a webserver to serve the compiled website under "dist/".
+
+Now we can add the user interfce to our NGINX configuraiton:
+
address@hidden
+server {
+...
+    location / {
+      proxy_pass http://<whereever you serve the UI>;
+    }
+}
address@hidden example
+
+You can thest your setup by accessing https://reclaim.id in your browser 
through the GNS proxy.
+
address@hidden For Service Providers
address@hidden For Service Providers
+
+To setup an OpenID Connect client, it must first be registered.
+In reclaim, client registration is done by creating a client identity and 
adding the redirect URI and client description into its namespace:
+
address@hidden
+$ gnunet-identity -C <rp_name>
+$ gnunet-namestore -z <rp_name> -a -n "+" -t RECLAIM_OIDC_REDIRECT -V 
<redirect_uri> -e 1d -p
+$ gnunet-namestore -z <rp_name> -a -n "+" -t RECLAIM_OIDC_CLIENT -V "My OIDC 
Client" -e 1d -p
address@hidden example
+
+You can now use the OpenID Connect REST endpoints exposed by reclaim.
+
+To request authorization from a user, your webapplication should initiate the 
OpenID Connect Authorization Flow like this:
address@hidden
+$ 
https://reclaim.id/openid/authorize?redirect_uri=<redirect_uri>&client_id=<RP_PKEY>&response_type=code&nonce=1234&scope=attribute1
 attribute2 ...
address@hidden example
+
+You should choose a random number for the nonce parameter. The RP_KEY is the 
public key corresponding to the <rp_name> identity.
+
+The redirect URI is the URI that you expect the user to return to within the 
OpenID Connect authorization code flow.
+
+When the user returns to your redirect URI, you can exchange it for an access 
token at the OpenID Token endpoint.
+The authentication at the token endpoint is performed using the configured 
password (PSW) in the reclaim configuration (reclaim.conf). To set it execute:
+
address@hidden
+$ gnunet-config -s reclaim-rest-plugin -o PSW -V <secret>
address@hidden example
+
+To retrieve the access token, you can access the token endpoint through the 
proxy like this:
+
address@hidden
+$ curl --socks5-hostname 127.0.0.1:7777 \
+       -X POST \
+       
https://reclaim.id/openid/token?grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<code>
 \
+       -u <RP_KEY>:<secret>
address@hidden example
+
+If successful, this will return a JSON object containing an ID Token and 
Access Token.
+The Access Token can be used to access the OpenID Connect userinfo endpoint:
+
address@hidden
+$ curl --socks5-hostname 127.0.0.1:7777 \
+       -X POST \
+       https://reclaim.id/openid/userinfo\
+       -H 'Authorization: Bearer <access_token>'
address@hidden example
+
+
 
 @node Using the Virtual Public Network
 @section Using the Virtual Public Network

-- 
To stop receiving notification emails like this one, please contact
address@hidden