openstack_keystone_core/federation/api.rs
1// Licensed under the Apache License, Version 2.0 (the "License");
2// you may not use this file except in compliance with the License.
3// You may obtain a copy of the License at
4//
5// http://www.apache.org/licenses/LICENSE-2.0
6//
7// Unless required by applicable law or agreed to in writing, software
8// distributed under the License is distributed on an "AS IS" BASIS,
9// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10// See the License for the specific language governing permissions and
11// limitations under the License.
12//
13// SPDX-License-Identifier: Apache-2.0
14//! # Federation API
15//!
16//! - IDP
17//! - Mapping
18//! - Auth initialization
19//! - Auth callback
20// use utoipa::{
21// Modify, OpenApi,
22// openapi::security::{
23// AuthorizationCode, Flow, HttpAuthScheme, HttpBuilder, OAuth2, Scopes, SecurityScheme,
24// },
25// };
26// use utoipa_axum::router::OpenApiRouter;
27//
28// use crate::keystone::ServiceState;
29//
30// pub mod auth;
31// mod common;
32pub mod error;
33// pub mod identity_provider;
34// pub mod jwt;
35// pub mod mapping;
36// pub mod oidc;
37pub mod types;
38//
39// /// OpenApi specification for the federation.
40// #[derive(OpenApi)]
41// #[openapi(
42// modifiers(&SecurityFederationAddon),
43// tags(
44// (name="identity_providers", description=r#"Identity providers API.
45//
46// Identity provider resource allows to federate users from an external Identity Provider (i.e.
47// Keycloak, Azure AD, etc.).
48//
49// Using the Identity provider requires creation of the mapping, which describes how to map attributes
50// of the remote Idp to local users.
51//
52// Identity provider with an empty domain_id are considered globals and every domain may use it with
53// appropriate mapping."#),
54// (name="mappings", description=r#"Federation mappings API.
55//
56// Mappings define how the user attributes on the remote IDP are mapped to the local user.
57//
58// Mappings with an empty domain_id are considered globals and every domain may use it. Such mappings
59// require the `domain_id_claim` attribute to be set to identify the domain_id for the respective
60// user."#),
61// )
62// )]
63// pub struct ApiDoc;
64//
65// pub fn openapi_router() -> OpenApiRouter<ServiceState> {
66// OpenApiRouter::new()
67// .nest("/identity_providers", identity_provider::openapi_router())
68// .nest("/mappings", mapping::openapi_router())
69// .merge(auth::openapi_router())
70// .merge(jwt::openapi_router())
71// .merge(oidc::openapi_router())
72// }
73//
74// struct SecurityFederationAddon;
75// impl Modify for SecurityFederationAddon {
76// fn modify(&self, openapi: &mut utoipa::openapi::OpenApi) {
77// if let Some(components) = openapi.components.as_mut() {
78// components.add_security_scheme(
79// "jwt",
80// SecurityScheme::Http(
81// HttpBuilder::new()
82// .scheme(HttpAuthScheme::Bearer)
83// .bearer_format("JWT")
84// .description(Some("JWT (ID) Token issued by the federated IDP"))
85// .build(),
86// ),
87// );
88// // TODO: This must be dynamic
89// components.add_security_scheme(
90// "oauth2",
91// SecurityScheme::OAuth2(OAuth2::new([Flow::AuthorizationCode(
92// AuthorizationCode::new(
93// "https://localhost/authorization/token",
94// "https://localhost/token/url",
95// Scopes::from_iter([("openid", "default scope")]),
96// ),
97// )])),
98// );
99// }
100// }
101// }