@pauljamescleary
oidc {
# this enables openid instead of ldap for logins
enabled = true
# your open ID instance info
authorization-endpoint = "https://id.redhatsso.com:8593/auth/realms/Test/protocol/openid-connect/auth"
token-endpoint = "https://id.redhatsso.com:8593/auth/realms/Test/protocol/openid-connect/token"
jwks-endpoint = "https://id.redhatsso.com:8593/auth/realms/Test/protocol/openid-connect/certs"
logout-endpoint = "https://id.redhatsso.com:8593/auth/realms/Test/protocol/openid-connect/logout"
tenant-id = ""
client-id = "x"
secret = "x"
# not required, defaults to values below
scope = "email"
# this should be the base URL for your vinyldns portal instance
redirect-uri = "http://vinyldns.com:9001"
# field in the jwt representing the user's firstname
jwt-firstname-field = "FirstName"
# field in the jwt representing the user's lastname
jwt-lastname-field = "LastName"
# field in the jwt representing the user's username
jwt-username-field = "USER_NAME"
# field in the jwt representing the user's email. not required, defaults to "email"
jwt-email-field = "mail"
}
Hi @pauljamescleary , i'm trying to create a new dotted record of type A, I got the impression that it is possible after looking at the "ok.hosts" file, i'm not sure how to make it work but currently when i try to create a dotted record i get the following error:
HTTP 422 (Unprocessable Entity): Record with name bla2.bla.com and type A is a dotted host which is not allowed in zone bla.com.- here meaning at Comcast
As far as that specific error, it appears as though VinylDNS is getting a
500 response code back when attempting the OIDC authentication
also, the callback URL will be in your case
http://vinyldns.com:9001/callback/<uuid>, I know some OIDC providers struggle with a random login id inserted in there
It is not signed yet, as we are still working on automating that process
Also, looking in the code, a few things:
- we look for a field named tid in the token response that is used to match up to what you configured for tenant-id in the config file
- we look for a field named "aud" in the token response that is used to match up to what you configured for the client-id in the config file
The good news is that it appears as though you are further along in the authentication flow based on what I am looking at.
I wonder if you are seeing a log entry like
Token issue for user $user; tenantId = $tid, appId = $aid
Hi, @pauljamescleary , I did get the error u mentioned, the token issue one, the issue appears to happen because the tenant id is "None" at all times.
I'm using keycloak and to my understanding keycloak uses "realms" instead of tenants, the configuration doesnt work when i specify my realm in the tenant field, is there a different field for a realm?
I'm using keycloak and to my understanding keycloak uses "realms" instead of tenants, the configuration doesnt work when i specify my realm in the tenant field, is there a different field for a realm?
@ozopz I opened the PR to make tenantid optional. In reality, should use OIDC and ws discovery for OIDC flows. That code is not ready yet. Here is the PR - vinyldns/vinyldns#1031
I'm a little unclear on the prereqs.
this seems to indicate that mysql can be used as a message queue: https://www.vinyldns.io/operator/pre.html#message-queues
But this page doesn't mention it:
https://www.vinyldns.io/operator/setup-mysql.html
we are not an AWS customer and I'm unlikely to get the OK to become one :/
I can only python :/ or I'd maybe try to help
My guess is that there's probably no reason for an org your size to have spent time on this, either: https://tools.ietf.org/html/rfc2317
For A+PTR entries
No delete ability since that is horribly destructive
and needs even more access controls
If we do that, then phase 2 we could add role based access controls, and have a "create zone" privilege more generally. The other option is an ACL construct that allows subdomains to be created, it could live globally or on a zone.