An IdP for OpenConext. A user can create and manage his own identity. Authentication uses a magic-link by default, and FIDO2 or a password can be added later.
- Java 21
- Maven 3
- MongoDB 3.4.x
- Yarn 1.x
- NodeJS (version 23.2.0)
- Mailpit
The docker-compose.yaml file in this project is meant for local development and contains a Mongo database and Mailpit instance
docker compose up -dThis project uses Spring Boot and Maven. To run locally, type:
cd myconext-server
mvn spring-boot:run -Dspring-boot.run.profiles=devWhen developing, it's convenient to just execute the applications main-method, which is in Application. Don't forget to set the active profile to dev.
The IdP is also built with Svelte and to get initially started:
cd account-gui
nvm use
yarn install
yarn devThere is no home page, you'll need to visit an SP and choose "Local SURFconext Guest IdP" to login. App is running on port 3000.
The myconext ServiceProvider is built with Svelte and to get initially started:
cd myconext-gui
nvm use
yarn install
yarn devBrowse to the application homepage.
The myconext servicedesk is also built with Svelte and to get initially started:
cd servicedesk-gui
yarn install
yarn devBrowse to the application homepage.
The myconext public gui is built with Vite and to get initially started:
cd public-gui
yarn install
yarn devBrowse to the application homepage.
To deploy production bundles
mvn deployThe default mail configuration sends mails to port 1025. Install https://mailpit.axllent.org/ and capture all emails send. You can see all mails delivered at http://localhost:8025/ when mailpit is installed.
In case when not using the Docker Compose file, you can install Mailpit with Brew
brew install mailpitThe myconext application uses a private RSA key and corresponding certificate to sign the SAML requests. We don't want to provide defaults, so in the integration tests the key / certificate pair is generated on the fly. if you want to deploy the application in an environment where the certificate needs to be registered with the Service Provider (Proxy) then you can generate a key pair with the following commands:
cd myconext/myconext-server/src/main/resources
openssl genrsa -traditional -out myconext.pem 2048
openssl req -subj '/O=Organization, CN=OIDC/' -key myconext.pem -new -x509 -days 365 -out myconext.crt
Add the key pair to the application.yml file:
private_key_path: classpath:/myconext.pem
certificate_path: classpath:/myconext.crt
If you need to register the public key in EB then issue this command and copy & paste it in Manage for the correct IdP:
cat myconext.crt |ghead -n -1 |tail -n +2 | tr -d '\n'; echo
The github actions will generate new translations of the source is changed.
yarn localicious render ./localizations.yaml ./account-gui/src/locale/ --languages en,nl --outputTypes js -c SHARED
rm -fr ./account-gui/src/locale/js/Localizable.ts
yarn localicious render ./localizations.yaml ./myconext-gui/src/locale/ --languages en,nl --outputTypes js -c SHARED
rm -fr ./myconext-gui/src/locale/js/Localizable.ts
To get an overview of the git source file's:
cloc --read-lang-def=cloc_definitions.txt --vcs=git
It's possible to migrate from an existing IdP to this IdP. A new identity will be created, and the eppn wil be copied.
curl -u oidcng:secret "http://login.test2.eduid.nl/myconext/api/attribute-manipulation?sp_entity_id=https://test.okke&uid=0eaa7fb2-4f94-476f-b3f6-c8dfc4115a87&sp_institution_guid=null"
curl -u aa:secret "https://login.test2.eduid.nl/myconext/api/attribute-aggregation?sp_entity_id=https://mijn.test2.eduid.nl/shibboleth&[email protected]"
Endpoint to detect duplicate eduID's for SP's that have the same institutionGuid
curl -u aa:secret 'https://login.test2.eduid.nl/myconext/api/system/eduid-duplicates' | jq .
http://localhost:8081/myconext/api/swagger-ui/index.html
http://localhost:8081/myconext/api/api-docs
https://login.test2.eduid.nl/myconext/api/swagger-ui/index.html
https://login.test2.eduid.nl/myconext/api/api-docs
The redirect URI's for local development have to start with https. You can use the reverse proxy of ngrok for this. For example:
ngrok http --domain okke.harsta.eu.ngrok.io 8081
The idp_metadata.xml file contains the IdP metadata for localhost development. Import an IdP in Manage and whitelist this for the SP's you want to test with. The OIDC-Playground is capable of testing the different ACR options.
Have MyConext server and all 4 GUI projects running.
Note: Account-GUI starts with Whoops… Something went wrong (404), this is ok.
- https://oidc-playground.test2.surfconext.nl/
- Check
Force authenticationand click on Submit - Select
Local SURFconext Guest IdPfrom the list - User is
[email protected], chose one-time login via e-mail - See Mailpit for the OTP
- You get redirected back to the playground with JWT data